Implicit Flow with Form Post

You can use OpenID Connect (OIDC) with many different flows to achieve web sign-in for a traditional web app. In one common flow, you obtain an ID token using authorization code flow performed by the app backend. This method is effective and robust, however, it requires your web app to obtain and manage a secret. You can avoid that burden if all you want to do is implement sign-in and you don’t need to obtain access tokens for invoking APIs.

Implicit Flow with Form Post flow uses OIDC to implement web sign-in that is very similar to the way SAML and WS-Federation operates. The web app requests and obtains tokens through the front channel, without the need for secrets or extra backend calls. With this method, you don’t need to obtain, maintain, use, and protect a secret in your application.

How it works

Flows - Implicit with Form Post - Authorization sequence diagram
  1. The user clicks Login in the app.

  2. Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a response_type parameter of id_token that indicates the type of requested credential. It also passes along a response_mode parameter of form_post to ensure security.

  3. Your Auth0 Authorization Server redirects the user to the login and authorization prompt.

  4. The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the app.

  5. Your Auth0 Authorization Server redirects the user back to the app with an ID Token.

How to implement it

You can use our Express OpenID Connect SDK to securely implement the Implicit Flow with Form Post.

Finally, you can follow our tutorials to use our API endpoints to Add Login Using the Implicit Flow with Form Post.

Learn more