Implicit Flow
- Should not use it in favor of Authorization Code with PKCE
Benefits
- The application never sees the user’s credentials
- Mobile or Browser app uses the underlying session storage so single-sign on scenarios work as expected
Drawbacks
- The access token is exposed to the end user and therefore at risk
- Doesn’t support refresh tokens
- Most people use the implicit flow as the front Single sign on interface to a backend application which is actually using authorization code flow or similar behind the scenes. SSO with Google, Facebook etc these days have been implemented with this flow
- Making it secure is hard
Uses
- use it very rarely at best
- it should be Plan B or maybe OAuth provider doesn’t support Auth code with PKCE
Security
- Use SSL/TLS
- Always Validate your token
- Use CORS