LoginRadius DocsDocs
DocumentationAPI ReferencesSDKsChangelogs
Federated SSOOpenID Connect

Implicit Flow

The Implicit Flow in OpenID Connect (OIDC) is designed for client-side applications, such as single-page applications (SPAs), where tokens are directly returned via the redirect URI. This flow eliminates the need for a client secret, simplifying authentication for browser-based apps. However, it is less secure than other flows, as refresh tokens are not supported, and access tokens have a short lifespan. While it provides a straightforward authentication mechanism, it should be used cautiously, especially for applications requiring long-term user sessions. More secure alternatives, like the Authorization Code Flow with PKCE, are now recommended."

Key Characteristics

  • Tokens are returned directly to the user agent via the redirect URI.
  • No backend server is required for token exchange.
  • Limited to short-lived sessions due to security concerns.

Steps to Implement Implicit Flow

  1. Initiate Authorization Request Redirect the user to the authorization endpoint:
https://<siteurl>/service/oidc/{OIDCAppName}/authorize?client_id={OIDC Client ID}&redirect_uri={Callback URL}&scope=openid&response_type={response_type}&state={random string}&nonce={unique nonce}
  • Query Parameters:
    • client_id: OIDC client ID.
    • redirect_uri: The URL to which users are redirected after login.
    • response_type: Can be token, id_token, or token id_token.
    • state: A random string to prevent CSRF attacks.
    • scope: Must include openid, with additional scopes as needed.
    • nonce: A unique value for replay protection.

  1. Receive Tokens Depending on the response_type; tokens are returned in the redirection URI:

    • response_type=token:
REDIRECT_URI?token={access_token}&state={state}
  • response_type=id_token:
REDIRECT_URI?id_token={JWT token}&state={state}
  • response_type=token id_token:
REDIRECT_URI?token={access_token}&id_token={JWT token}&state={state}

The Implicit Flow in OIDC provides a simple, direct way to authenticate users for public clients. While it is easier to implement, its lack of support for refresh tokens and security concerns makes it less suitable for long-term sessions. Consider using other flows like Authorization Code Flow with PKCE for more secure and scalable authentication.

Authorization Code Flow OpenID Connect

Learn about Authorization Code Flow in OpenID Connect with LoginRadius to enable secure authentication, token exchange, and enhanced identity verification.

Hybrid Flow OpenID Connect

Explore Hybrid Flow in OpenID Connect with LoginRadius, combining features of code and implicit flows for secure and flexible user authentication scenarios.

On this page

Implicit FlowKey CharacteristicsSteps to Implement Implicit Flow