Implicit Flow

Implicit Flow

During authentication, single-page applications (SPAs) have some special requirements. Since the SPA is a public client, it is unable to securely store information such as a Client Secret. As such, a special authentication flow exists called the OAuth 2.0 Implicit Flow (defined in OAuth 2.0 RFC 6749, section 4.2). Using the Implicit Flow streamlines authentication by returning tokens without introducing any unnecessary additional steps.

How it works

For SPAs, you should use the Implicit Flow in which issued tokens are short-lived. Refresh Tokens are not available in this flow.

Implicit Flow Authentication Sequence

  1. The user clicks Login within the SPA.
  2. Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a response_type parameter that indicates the type of requested credential.
  3. Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
  4. The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the SPA.
  5. Your Auth0 Authorization Server redirects the user back to the SPA with any of the following, depending on the provided response_type parameter (step 2):
  • An ID Token;
  • An Access Token;
  • An ID Token and an Access Token.
  1. Your SPA can use the Access Token to call an API.
  2. The API responds with requested data.

How to implement it

The easiest way to implement the Implicit Flow is to follow our Single-Page App Quickstarts.

You can also use our SDKs.

Finally, you can follow our tutorials to use our API endpoints to Add Login Using the Implicit Flow or Call Your API Using the Implicit Flow.

SPAs and refresh tokens

The Access Token is exposed on the client side. The implicit flow does not return a Refresh Token because the browser cannot keep it private.

While SPAs using the Implicit Grant cannot use Refresh Tokens, there are other ways to provide similar functionality.

  • Use prompt=none when invoking the /authorize endpoint. The user will not see the login or consent dialogs. For more information, see Silent Authentication.
  • Call /authorize from a hidden iframe and extract the new Access Token from the parent frame. The user will not see the redirects happening.

Keep reading