Tech and Media Labs
This site uses cookies to improve the user experience.

OAuth 2.0 Implicit Requests and Responses

Jakob Jenkov
Last update: 2014-06-15

The implicit grant consists of only 1 request and 1 response.

Implicit Grant Request

The implicit grant request contains the following parameters:

response_type Required. Must be set to token .
client_id Required. The client identifier as assigned by the authorization server, when the client was registered.
redirect_uri Optional. The redirect URI registered by the client.
scope Optional. The possible scope of the request.
state Optional (recommended). Any client state that needs to be passed on to the client request URI.

Implicit Grant Response

The implicit grant response contains the following parameters. Note, that the implicit grant response is not JSON.

access_token Required. The access token assigned by the authorization server.
token_type Required. The type of the token
expires_in Recommended. A number of seconds after which the access token expires.
scope Optional. The scope of the access token.
state Required, if present in the autorization request. Must be same value as state parameter in request.

Implicit Grant Error Response

If an error occurs during authorization, two situations can occur.

The first is, that the client is not authenticated or recognized. For instance, a wrong redirect URI was sent in the request. In that case the authorization server must not redirect the resource owner to the redirect URI. Instead it should inform the resource owner of the error.

The second situation is that client is okay, but that something else happened. In that case the following error response is sent to the client, included in the redirect URI:

error Required. Must be one of a set of predefined error codes. See the specification for the codes and their meaning.
error_description Optional. A human-readable UTF-8 encoded text describing the error. Intended for a developer, not an end user.
error_uri Optional. A URI pointing to a human-readable web page with information about the error.
state Required, if present in authorization request. The same value as sent in the state parameter in the request.

Jakob Jenkov

Copyright  Jenkov Aps
Close TOC