OAuth 2.0 Tutorial 3: The Implicit Grant Type


The Problem

We need to define an OAuth 2.0 interface that will grant access to third-party client applications that do not have an existing trust relationship with the authorization server. The solution must use the Implicit grant type for retrieving a valid access token.


The Solution

The Layer 7 OAuth Toolkit supports all the core grant types in the OAuth 2.0 specification and can be configured to use the Implicit grant type. This will allow client applications to retrieve access tokens without having to authenticate directly with the authorization server.

The Implicit grant type is very similar to the Authorization Code grant type but the process is somewhat simplified. The resource owner is redirected to the authorization server for authentication and to allow access. At this point, an access token is created immediately and redirected back to the client application – this eliminates the need for a client-to-authorization-server handshake.

In the video at the bottom of this page, you will see how the authorization server creates a session, generates an access token and redirects back to the client application:



We will also show you how to:

  • Configure the authorization server
  • Implement the OAuth interaction on the resource server, with a simple policy fragment
  • Tailor access control rules based on metadata from the resource owner