OAuth 2.0 Implicit Requests and Responses
Jakob Jenkov |
The implicit grant consists of only 1 request and 1 response.
Implicit Grant Request
The implicit grant request contains the following parameters:
response_type |
Required. Must be set to token . |
client_id |
Required. The client identifier as assigned by the authorization server, when the client was registered. |
redirect_uri |
Optional. The redirect URI registered by the client. |
scope |
Optional. The possible scope of the request. |
state |
Optional (recommended). Any client state that needs to be passed on to the client request URI. |
Implicit Grant Response
The implicit grant response contains the following parameters. Note, that the implicit grant response is not JSON.
access_token |
Required. The access token assigned by the authorization server. |
token_type |
Required. The type of the token |
expires_in |
Recommended. A number of seconds after which the access token expires. |
scope |
Optional. The scope of the access token. |
state |
Required, if present in the autorization request. Must be same value as state parameter in request. |
Implicit Grant Error Response
If an error occurs during authorization, two situations can occur.
The first is, that the client is not authenticated or recognized. For instance, a wrong redirect URI was sent in the request. In that case the authorization server must not redirect the resource owner to the redirect URI. Instead it should inform the resource owner of the error.
The second situation is that client is okay, but that something else happened. In that case the following error response is sent to the client, included in the redirect URI:
error |
Required. Must be one of a set of predefined error codes. See the specification for the codes and their meaning. |
error_description |
Optional. A human-readable UTF-8 encoded text describing the error. Intended for a developer, not an end user. |
error_uri |
Optional. A URI pointing to a human-readable web page with information about the error. |
state |
Required, if present in authorization request. The same value as sent in the state parameter in the request. |
Tweet | |
Jakob Jenkov |