Implicit grant flow

Implicit allows requesting tokens without explicit client authentication (hence the name), but uses the redirect URI instead to verify client identity. Because of that, requesting long lived tokens like a refresh token is not allowed in that flow.

The implicit grant type is used to obtain access tokens and is optimized for public clients known to operate a particular redirection URI. These clients are typically implemented in a browser using a scripting language such as JavaScript.

Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.

Implicit flow

Client initiates the request by redirecting user to the authorize end point with the following parameters

response_type (required) ‘code’

scope (required) ‘Contacts.Read’

redirect_uri (required)

client_id (required) e.g. ‘7b745ef9-7da1-4074-b32a-76e66ae2ec55’

resource (required) For Contacts API this value should be ‘ad053bcf-8b7c-4ed0-ac5c-d7dee1d81d66’

Request example

GET
	https://login.myob.com/oauth2/authorize?
		response_type=code&
		redirect_uri=https://yourApplication/code&
		client_id=YOUR_CLIENT_ID&
		scope=Contacts.Read&
		resource=ad053bcf-8b7c-4ed0-ac5c-d7dee1d81d66

If the user is NOT already signed in and approved the client earlier, user will be logged and consent the scopes.

Once user approved, browser will be redirect to redirect_uri.

Response example

	https://yourApplication/?code=wf2_ChyzZZfU0JszC_......gZhD7JvZAyIs_0GE

Note: code is returned in the query string parameter code

Token request

Client app then send another https request to auth service to exchange the code for a token with following query parameters.

grant_type (required) ‘authorization_code’

code (required) the code as above

redirect_uri (required) the redirect_uri the same value as initial authorize request

Example request

POST
	https://login.myob.com/oauth2/token
POST data:
	client_id=YOUR_CLIENT_ID&
	client_secret=YOUR_CLIENT_SECRET&
	grant_type=authorization_code&
	code=<use the value given in the redirect_uri from the previous authorize request>&
	redirect_uri=https%3A%2F%2FyourApplication%2Fcode

Token response

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbG........uQ19XSeyGhZx4UKg",
  "token_type": "Bearer",
  "expires_in": 3600,
  "expires_on": 1447199907,
  "resource": "ad053bcf-8b7c-4ed0-ac5c-d7dee1d81d66",
  "scope": "Contacts.Read"
}