Using the Implicit grant flow

Another flow used in OpenID Connect is the implicit grant flow. In this flow the client credentials are not expected to remain confidential and can be distributed along with the application, which can be a stand-alone JavaScript web or a mobile application. In the implicit grant flow the client receives all tokens from the authorization endpoint.

Listing Error: Reference source not found shows an example of the use of the implicit grant flow.

Note that when developing a desktop application, there has to be some way to pass the access token and the ID Token to the application. The easiest way to do this is to redirect the client to http://localhost (http scheme is allowed only when redirecting to localhost) and let the end user know that the url has to be manually copy-pasted from the browser window to the application.

A more clever way would be to embed a tiny web server to the application and listen to a port that is known to be often available, like 8888. However, as the access token and the ID Token are passed as fragments, they are actually never sent to the server. A way around this would be to embed a small piece of JavaScript code to the served web page that could extract the values from the fragment and send them to the server. This kind of a scheme is out of scope of this document, though.