Call APIs from Client-side Web Apps
The OAuth 2.0 grant that Client-side web apps utilize in order to access an API, is the Implicit Grant.
The Implicit Grant (defined in RFC 6749, section 4.1) is also a redirect-based flow, similar to the Authorization Code Grant, but the main difference is that all of the interactions with the Authorization Server happen through the User Agent (this includes receiving the access token). After receiving the
access_token, the User Agent will expose this to the Client, allowing it to call the Resource Server on behalf of the Resource Owner.
- The Client initiates the flow and redirects the user to the Authorization Server
- The user authenticates
- The Authorization Server redirects the user to the Client with an
access_token(and optionally a
id_token) in the hash fragment
- The Client can use the
access_tokento call the Resource Server on behalf of the user
The first time the user goes through this flow a consent page will be shown where the permissions are listed that will be given to the Client (eg: post messages, list contacts, ...).
- Allow the Client to make calls to the Resource Server on behalf of the Resource Owner
- The Client is typically a Single Page Application or a Mobile Application