The implicit grant type does not require client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. The resource owner needs to authenticate with the authorization server to obtain the access token. Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing in the same device.
The diagram below depicts the flow of Implicit Grant.
The client requests for the access token with the client ID and grant type with optional parameters.
Since the resource owner authenticates directly with the authorization server, his/her credentials will not be shared with the client.
The Authorization Server sends the Access token in URI fragment to the client.
Client extract the token from the fragment and send the API request to the Resource Server with the access token.
With this grant, the refresh token will not be issued for the client as the client type is public. Also note that, the implicit grant does not include client authentication because it does not make use of client secret.
Invoking the Token API to generate tokens
In his example we are using WSO2 Playground hosted as a web application to obtain the access token with implicit grant.
Setup WSO2 Playground sample webapp in a Application server. You can use WSO2 Identity Server to host the web application following below steps.
You can check out the repository of the OAuth 2.0 sample from GitHub. Follow the instructions here tocheckout the folder. We refer <SAMPLE_HOME> as the modules/samples folder inside the folder where the product-is repository is checked out.
Open a terminal window and add the following entry to the
/etc/hostsfile of your machine to configure the hostname.
Why is this step needed?
Some browsers do not allow you to create cookies for a naked hostname, such as
localhost. Cookies are required when working with SSO. Therefore, to ensure that the SSO capabilities work as expected in this tutorial, you need to configure the
etc/hostfile as explained in this step.
etc/hostfile is a read-only file. Therefore, you won't be able to edit it by opening the file via a text editor. To avoid this, edit the file using the terminal commands.
For example, use the following command if you are working on a Mac/Linux environment.
In your command line, navigate to
<SAMPLE_HOME>/oauth2/playground2in the folder you checked out and build the sample using the following command. You must have Apache Maven installed to do this (see Installation Prerequisites for the appropriate version to use).
After successfully building the sample, a .
warfile named playground2 can be found inside the
<SAMPLE_HOME>/oauth2/playground2/targetfolder. Deploy this sample web app on a web container. To do this, use the Apache Tomcat server.
Since this sample is written based on Servlet 3.0 it needs to be deployed on Tomcat 7.x.
Use the following steps to deploy the web app in the web container:
- Stop the Apache Tomcat server if it is already running.
- Copy the
playground2.warfile to the
- Start the Apache Tomcat server.
Make sure to update param-value the following parameter in the
WEB-INF/web.xmlfile with the serverurl of the Identity Server if required. Service URL should have the port the application is started up with. If you have started the Identity Serve with anoff set, then the matching port should be configuredhear.
localhostis the server that hosts WSO2 Identity Server and
9443is the default SSL port of it. Inorder to access the admin services you should have the values in step 5 and 6. Since playground application is accessing the admin service OAuth2TokenValidationService, you should have the correct serverUrl,username and password asdescripbed in step 5 and 6.
Update param-value of the parameters below with credentials of an admin user if required.
wso2is.localor something similarly appropriate.
Restart Apache Tomcat and access
http://wso2is.local:8080/playground2/(assuming Tomcat is running on HTTP port 8080). You are directed to the landing page of the sample application. Click on Import Photos and the following page appears.
- Login to WSO2 API Manager Store and create an application as below.
- Go to production keys tab in the created application, Add http://localhost:8080/playground2/oauth2client as the callback URL, select implicit from the Grant Types and click Generate Keys.
- Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the web application.