Announcement Announcement Module
No announcement yet.
implicit grant types Spring OAuth 2.0 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • implicit grant types Spring OAuth 2.0


    Does anybody here has test implicit grant types in Spring OAuth 2.0 ?

    From literature i got, the different between authorization_code and implicit grant types that is the authorization_code is used by web application type client whether implicit is use by mobile type client. The mechanism of accepting code and access_token for authorization_code is using callback_url that has been stored before in the database. Why authorization_code use callback_url, because web application type client is using web server and a server must have dedicated IP and so the message that contain code or access_token will be sent successfully to the client. But how about mobile type client, mobile type client use shared IP given by the provider, and the callback_url i assume will not valid when oauth provider sent the code or access_token. So, the mechanisme of accepting code or access_token is redirect to a page that contain information about code or access_token so the client read to it to get an access_token or code. Are what i say is correct?

    I have already implement and test client that has authorization_code grant type but not yet client that has implicit grant type.


  • #2
    The sparklr/tonr sample has a client that works with implicit grants. Implicit grant was really designed more for a script client in a browser than a mobile client per se, but I know that mobile apps often use that grant type (also they often use passwrod grants). If your client app is not in a browser you are correct that the redirect URI is sort of a fiction, since there is probably no need to actually follow the link. But it is important to register a redirect URI to prevent an attacker from using his own value and potentially stealing access tokens.


    • #3
      Thanks dave for your explanation. So, is there any additional configuration or java code to implement this?


      • #4
        Nothing additional to the sample, no. It declares an <implicit/> grant type in its <authorization-server/>, and that should be about it (apart from the client registrations actually allowing implicit grants).