> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how Auth0's OIDC-conformant pipeline changes Implicit Flow behavior and updates existing applications without disrupting token handling.

# Implicit Flow with OIDC

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

Traditionally, the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) was used by applications that were incapable of securely storing secrets. Using this flow is no longer considered a best practice for requesting <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip>; new implementations should use [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). However, when used with Form Post response mode, Implicit Flow does offer a streamlined workflow if the application needs only an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> to perform user authentication; in these cases, it would be used as part of the [Hybrid Flow](/docs/get-started/authentication-and-authorization-flow/hybrid-flow).

<Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+tokens">Refresh tokens</Tooltip> will no longer be returned when using the Implicit Flow for authentication.

In addition, the OIDC-conformant pipeline affects the Implicit Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.

## Authentication request

### Legacy

```http lines theme={null}
GET /authorize?
    response_type=token
    &scope=openid email favorite_color offline_access
    &client_id=123
    &state=af0ifjsldkj
    &redirect_uri=https://app.example.com
    &device=my-device-name
```

The `device` parameter is only needed if requesting a refresh token by passing the `offline_access` scope. To learn more, read [Refresh Tokens](/docs/secure/tokens/refresh-tokens).

### OIDC-conformant

```http lines theme={null}
GET /authorize?
    response_type=token id_token
    &scope=openid email
    &client_id=123
    &state=af0ifjsldkj
    &nonce=jxdlsjfi0fa
    &redirect_uri=https://app.example.com
    &audience=https://api.example.com
```

* `response_type` indicates that we want to receive both an access token and ID token.
* Refresh tokens are not allowed in the implicit grant. Use `prompt=none` instead. To learn more read [Configure Silent Authentication](/docs/authenticate/login/configure-silent-authentication).
* `favorite_color` is no longer a valid scope.
* `audience` is optional.
* `nonce` must be a cryptographically secure random string. To learn more, read [Mitigate Replay Attacks When Using the Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow).

## Authentication response

### Legacy

```json lines theme={null}
HTTP/1.1 302 Found
Location: https://app.example.com/#
    access_token=SlAV32hkKG
    &expires_in=86400
    &state=af0ifjsldk
    &id_token=eyJ...
    &refresh_token=8xLOxBtZp8
    &token_type=Bearer
```

* The returned access token is valid for calling the [`/userinfo`](https://auth0.com/docs/api/authentication#get-user-info) endpoint.
* A refresh token will be returned only if a `device` parameter was passed and the `offline_access` scope was requested.

### OIDC-conformant

```json lines theme={null}
HTTP/1.1 302 Found
Location: https://app.example.com/#
    access_token=eyJ...
    &expires_in=86400
    &state=af0ifjsldk
    &id_token=eyJ...
    &token_type=Bearer
```

* The returned access token is valid for calling the [`/userinfo`](https://auth0.com/docs/api/authentication#get-user-info) endpoint (provided that the API specified by the `audience` param uses `RS256` as [signing algorithm](/docs/get-started/applications/signing-algorithms)) and optionally the <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+server">resource server</Tooltip> specified by the `audience` parameter.
* If using `response_type=id_token`, Auth0 will only return an ID token.
  Refresh Tokens are not allowed in the implicit grant. Use `prompt=none` instead.

## ID token structure

### Legacy

export const codeExample1 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "favorite_color": "blue"
}`;

<AuthCodeBlock children={codeExample1} language="json" filename="JSON" />

### OIDC-conformant

export const codeExample2 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "https://app.example.com/favorite_color": "blue",
    "nonce": "jxdlsjfi0fa"
}`;

<AuthCodeBlock children={codeExample2} language="json" filename="JSON" />

* The `favorite_color` claim must be namespaced and added through a rule. To learn more, read [Create Namespaced Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
* After validating the ID token, the application must validate the <Tooltip tip="Nonce: Arbitrary number issued once in an authentication protocol to detect and prevent replay attacks." cta="View Glossary" href="/docs/glossary?term=nonce">nonce</Tooltip> to mitigate replay attacks.

## Access token structure (optional)

### Legacy

```bash HTTP lines theme={null}
SlAV32hkKG
```

The returned Access Token is opaque and only valid for calling the `/userinfo` endpoint.

### OIDC-conformant

export const codeExample3 = `{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": [
        "https://api.example.com",
        "https://{yourDomain}/userinfo"
    ],
    "azp": "123",
    "exp": 1482816809,
    "iat": 1482809609,
    "scope": "openid email"
}`;

<AuthCodeBlock children={codeExample3} language="json" filename="JSON" />

* The returned access token is a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> valid for calling the `/userinfo` endpoint (provided that the API specified by the `audience` param uses `RS256` as [signing algorithm](/docs/get-started/applications/change-application-signing-algorithms)) as well as the resource server specified by the `audience` parameter.
* An opaque access token could still be returned if `/userinfo` is the only specified <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip>.

## Learn more

* [Access Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens)
* [External APIs with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis)
* [Authorization Code Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow)
* [Client Credentials Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow)
* [Delegation with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-delegation)
* [Refresh Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens)