About
The implicit grant is a grant type (flow) that issued directly an access token. (It does not support the issuance of refresh tokens).
This grant type is called implicit, as no intermediate credentials (such as an authorization code) are issued).
It's indirect and redirection-based flow that is optimized for public clients implemented in a browser using a scripting language such as JavaScript.
The implicit grant type does not include client authentication, and relies on:
- the presence of the resource owner (end-user)
- and the registration of the redirection URI (client identity verification)
Pro and Cons
Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token. However, this convenience should be weighed against the security implications of using implicit grants, such as those described in Sections 10.3 and 10.16, especially when the authorization code grant type is available.
Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device.
ie sending the access token in the URL can be a security vulnerability. For example the token could be leaked through web server logs and or browser history.