Implicit Flow with Form Post

Don’t let the term "implicit" mislead you! While OAuth discourages the use of the implicit grant for obtaining access tokens in SPAs due to security vulnerabilities, the Implicit Flow with Form Post is tailored for traditional web apps and is unaffected by these issues. This flow retrieves ID tokens (not access tokens) via a secure POST request, avoiding the token exposure risks associated with placing them in URL fragments.

This flow is ideal for web sign-in scenarios where you don’t need access tokens for API calls and want to avoid managing application secrets.

How it works

This flow is designed for login-only use cases. If you need access tokens for calling APIs, consider using the Authorization Code Flow with PKCE or the Hybrid Flow instead.

Flow Steps:

  1. The user clicks the Login button in the app.

  2. Login 3.0 SDK redirects the user to the Login 3.0 Authorization Server (/authorize endpoint), passing a response_type parameter of id_token (indicating the requested credential type) and a response_mode parameter of form_post for secure token handling.

  3. The Login 3.0 Authorization Server redirects the user to the login and authorization prompt.

  4. The user authenticates using one of the configured login methods and may see a consent page listing the permissions granted to the app.

  5. The Login 3.0 Authorization Server redirects the user back to the app with an ID Token via a secure POST.

How to implement it

  • Login 3.0 SDK: Use the Login 3.0 SDK for secure implementation of the Implicit Flow with Form Post.

  • Direct API Integration: Follow the Login 3.0 API documentation to implement the flow manually using the /authorize endpoint.

Key Notes:

  • Login-only Use Cases: This flow is best for scenarios where only an ID token is needed for user authentication.

  • Security: Using response_mode=form_post ensures that tokens are securely transmitted and not exposed in the browser’s URL or history.

  • Simplified Implementation: Eliminates the need to manage client secrets in traditional web apps.

Further Recommendations

If your use case requires Access Tokens in addition to ID Tokens, consider using the Authorization Code Flow with PKCE or the Hybrid Flow. These flows adhere to modern best practices, ensuring both security and functionality.

PreviousCall Your API Using the Client Credentials FlowNextMitigate Replay Attacks When Using the Implicit Flow

Last updated

Was this helpful?