Implicit grant in OAuth 2.0

Implicit grant in OAuth 2.0 is an approach to get access tokens for public clients from an authentication server. Although, It doesn’t support refreshing issued tokens but it’s a quick way to get one when developing a JavaScript based application. A very interesting point in implicit grant type is the fact that tokens are issued for one specific redirection URI. This means if the authentication server (Auth server) grants a token, it’ll be passed to redirection URI as a query string parameter, crazy right! so I’ve used it in a project recently and learned a lot of cool stuffs which I’m gonna break it down for you here.

So the process of implicit grant starts with

  1. Setting up OAuth 2.0 client in authentication server.
  • Remember to check implicit flow in your OAuth 2.0 client.
  • Redirect URI is where you want the token to be sent.
  • ClientID is reserved for your app so name it accordingly.

2. Write a bit of code to send the token request to the Auth server.  I’m using TypeScript so my code would like this.

public Authenticationrequest() {
var client_id = "YOUR-CLIENT-ID"; 
var scope = "OPTIONAL"; 
var redirect_uri = "YOUR_REDIRECT_URI"; 
var response_type = "token"; 
var authserver = "YOUR-AUTH-SERVER-URL?"; 
var state = "OPTIONAL"; 
var AuthenticationURL = authserver + "response_type=" + response_type + "&scope=" + scope + "&client_id=" + client_id + "&state=" + state + "&redirect_uri=" + redirect_uri; 
return AuthenticationURL; 



It is important to note that Auth server only processes https requests by nature so your redirect URI address needs to be https secure protocol. Because the Auth server and your redirect URI not on the same level if you want to preserve a variable before sending the Auth request, state comes in handy. Put your variables in state so that it will be returned to return URI address and you can process it then.

  1. Auth request being sent to Auth server from the same domain that redirect URI is, the Auth server checks clientID and if every things checks out, it’ll grant a token.
  2. The response is sent to redirect URI address in a form of couple of parameters. Matter of fact, as soon as return URI page is called, you need to get the full address (which includes token, state, expiry time and bunch of other stuffs) and parse the it to take the parameters out.

Photo source:

Ramin Ahmadi
I am a full-stack front end developer with over 5 years experience in web design and development. I have worked with a wide variety of environments and languages including Angular, TypeScript, NodeJS, Restful API, Microservices, Atomic design, JQuery, Material design, Progressive Web Apps, DevOps, and many Azure tools. I make it a goal to automate myself out of routine tasks in my daily work. My motto is, ‘write human readable code, lean and clean’.

Comments 2

Your email address will not be published. Required fields are marked *

Implicit grant in OAuth 2.0

log in


reset password

Back to
log in
Font Resize
Choose A Format
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Voting to make decisions or determine opinions
The Classic Internet Listicles
Photo or GIF
GIF format