Table of Contents
Authorization using implicit grant (deprecated)
How to authorize applications using implicit grant.
01. April 2025
Table of Contents
Note: Implicit grant is deprecated in OAuth 2.1
For information about how to register the application, see application registration.
Protocol flow
The client opens a browser window to the following URL (line breaks are added for readability. All parameter values must be URL-encoded):
https://myfotowebserver.com/fotoweb/oauth2/authorize? response_type=token& client_id=CLIENT_ID& redirect_uri=REDIRECT_URI& state=STATE
where
| Parameter | Description |
|---|---|
response_type |
Mandatory. Must always be token. |
client_id |
Mandatory. The unique ID of the client, which was obtained during client registration. |
redirect_uri |
The redirection endpoint URI of the client. If given, it must match one of the redirection endpoint URIs registered for the client. Optional if the application only has one registration endpoint. Mandatory if the application has more than one registration endpoint. |
state |
Mandatory: This should be a unique, cryptographically safe random string. |
This request may result in the user being shown a login prompt for FotoWeb.
Upon success, the server responds by redirecting the user to the client's redirection endpoint URI. This is always one of the redirection endpoints registered for the client and if given, the redirection URI passed in the request as redirect_uri.
Parameters are added to the fragment part of the redirection URI as follows (line breaks added for readability. All parameter values are URL-encoded):
https://myapplication.com/oauth2/callback# access_token=ACCESS_TOKEN& token_type=bearer& expires_in=EXPIRES_IN_SECONDS state=STATE
where
| Parameter | Description |
|---|---|
access_token |
The access token that is used to authorize requests to the FotoWeb API |
token_type |
This is always bearer. |
expires_in |
Number of seconds after which the token is expected to expire. |
state |
The exact value of the state parameter sent by the client in the authorize request.The client MUST check that this value is identical to the value it sent earlier to protect against cross-site request forgery (CSRF) attacks. If the values do not match, the client MUST reject the request. This can be done, for example, by showing an error page. The client MUST NOT proceed with the authorization process and SHOULD NOT do anything that can affect its state other than logging. The client MAY also use this value to identify an individual session and/or authorization process (and in that case, reject the request if no session with a matching ID is found). |
The application can obtain the access token by parsing the fragment part of the redirection URL.
The server will not issue a refresh token if implicit grant is used. When the access token has expired, the only way to obtain a new access token is to repeat authorization.
Implementation in JavaScript
01 function createState()
02 {
03 var text = "";
04 var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_~.";
05 for (var i = 0; i < 16; ++i)
06 text += possible.charAt(Math.floor(Math.random() * possible.length));
07
08
09 return text;
10 }
11
12
13 function requestAuthorization(tenantURL, clientID, redirectURI)
14 {
15 var state = createState();
16 sessionStorage.setItem('state', state);
17
18
19 window.location = tenantURL + "/fotoweb/oauth2/authorize?" +
20 "response_type=token&" +
21 "client_id=" + clientID + "&" +
22 "redirect_uri=" + encodeURIComponent(redirectURI) + "&" +
23 "state=" + encodeURIComponent(state);
24 }
25
26
27 function getAccessToken()
28 {
29 var state = sessionStorage.getItem('state');
30 if (state === null) return null;
31
32
33 var params = window.location.hash.substring(1).split('&');
34 var token = null;
35 var stateValid = false;
36 for (var i = 0; i < params.length; ++i)
37 {
38 var pair = params[i].split('=');
39 if (decodeURIComponent(pair[0]) === 'access_token')
40 {
41 token = decodeURIComponent(pair[1]);
42 }
43 else if (decodeURIComponent(pair[0]) === 'state') {
44 if (state === decodeURIComponent(pair[1]))
45 stateValid = true;
46 else
47 alert("Invalid state! Someone is trying to mess with you!")
48 }
49 }
50
51
52 if (stateValid)
53 return token;
54
55
56 return null;
57 }The following JavaScript functions can be used to implement OAuth 2.0 in a single-page application:
The requestAuthorization function redirects the user to the authorization endpoint of FotoWeb. It may be called, for example, when the user selects a Log in with FotoWeb button. The parameters are as follows:
-
tenantURLis the URL of the FotoWeb server, e.g.,https://acme.fotoware.cloud. -
clientIDis the client ID of the registered application. -
redirectURIis the absolute URL of the endpoint of the application which receives the access token, e.g.,https://apps.acme.org/oauth2/callback.
The getAccessToken function reads the access token from the fragment part of the URL after authorization is successful.
This implementation validates the OAuth 2.0
stateparameter by creating a random value before the authorization process and passing it to thegetAccessTokenfunction using session storage.This prevents cross-site request forgery (CSRF) and embedding the app into other apps (mash-ups) by ensuring that the app only accepts access tokens it has itself requested.
Any additional parameters to the application may be passed through the authorization process in session storage.
What's next?
To learn how to use OAuth access tokens in your configuration, see Using application access tokens for OAuth 2.0 authorization.