Implicit Flow
Authorize
GET <https://auth3.upbond.io/authorize>?
audience=API_IDENTIFIER&
scope=SCOPE&
response_type=token|id_token|id_token token&
client_id=YOUR_CLIENT_ID&
redirect_uri=YOUR_REDIRECT_URI&
state=STATE&
nonce=NONCERESPONSE SAMPLE
HTTP/1.1 302 Found
Location: YOUR_REDIRECT_URI#access_token=TOKEN&state=STATE&token_type=TYPE&expires_in=SECONDSThis is the OAuth 2.0 grant that web apps utilize to access an API.
Request Parameters
audience
The unique identifier of the target API you want to access.
scope
The scopes you want to request authorization for. These must be separated by a space. You can request standard OpenID Connect (OIDC) scopes (e.g., profile, email) or any scopes supported by the target API (e.g., read:contacts).
response_type Required
Specifies the type of token you will receive. Use token for an Access Token, id_token for an ID Token, or id_token token for both.
client_id Required
Your application's Client ID.
state Recommended
An opaque value added to the request to prevent CSRF attacks.
redirect_uri
The URL to which Login 3.0 will redirect the browser after authorization is granted.
nonce Recommended
A string included in the ID Token to prevent replay attacks. Required for response_type=id_token token.
Remarks
The
redirect_urimust match a valid callback URL configured for your application.If
response_type=token, the user's authentication redirects them to your application's callback URL with theaccess_token.The Implicit Flow does not support Refresh Tokens. For refreshing tokens without user interaction, use Silent Authentication.
The profile information returned in the token follows the structured claim format defined by the OIDC specification. Custom claims must conform to a namespaced format to avoid collisions with standard OIDC claims.
Silent Authentication can retrieve a new Access Token when the user's session is still valid, without requiring interaction.
Last updated
Was this helpful?