OAuth 2.0 Implicit Grant


The Implicit grant type is a simplified flow that can be used by public clients, where the access token is returned immediately without an extra authorization code exchange step.

It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely). In the time since the spec was originally written, the industry best practice has changed to recommend that public clients should use either the authorization code flow without the client secret, or use the PKCE extension instead.

More information can be found on the OAuth mailing list from: Redhat, Deutsche Telekom, and Smart Health IT, as well as this thread.

More resources