When issuing an access token during the Implicit grant flow, the authorization server does not authenticate the client. In some cases, the client identity can be verified via the redirection URI used to deliver the access token to the client. The access token may be exposed to the resource owner or other applications with access to the resource owner's user-agent.
For additional information about Implicit grants, refer to Implicit Grant.
Upon successful user authorization a redirect to the supplied redirect_uri parameter supplied in the original authorization request. An access_token parameter will be supplied in the fragment part of the redirect_uri. Additional fragment parameters include token_type, id_token, expires_in and state. For a detailed explanation of these parameters, refer to Implicit Authentication Response.
The Userinfo endpoint may now be called to retrieve details about the User. For more information about /userinfo, refer to Userinfo Endpoint Information.
OpenID Connect authorization supports what is called id_token_hint. The value of the the id_token_hint parameter is the id_token previously issued by the PRIVO Authorization Server. Passing this values serves as a hint about the user's current or past authenticated session with the Client. If the user identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it returns the error, login_required. id_token_hint must be present when prompt=none is used and an invalid_request error is returned if it is not.
Sample Implicit Authorization Request:
Sample JSON Response:
HTTP/1.1 302 Found
Sample Request with ID Token: