Implicit Flow with Form Post
As an alternative to the Authorization Code Flow, the OAuth 2.0 spec includes the Implicit Flow intended for Public Clients, or applications which are unable to securely store Client Secrets. As part of the authorization response, the Implicit Flow returns an Access Token rather than an Authorization Code that must be exchanged at the token endpoint.
While this is no longer considered a best practice for requesting Access Tokens, it does offer a streamlined workflow if the application needs only an ID Token to perform user authentication.
How it works
In the Implicit Flow, issued tokens are short-lived, and Refresh Tokens are not available.
- The user clicks Login in the app.
- Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a
id_tokenthat indicates the type of requested credential. It also passes along a
form_postto ensure security.
- Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
- The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the app.
- Your Auth0 Authorization Server redirects the user back to the app with an ID Token.
How to implement it
Finally, you can follow our tutorials to use our API endpoints to Add Login Using the Implicit Flow with Form Post.