Order

The first three articles talked about client credentials, password and authorization code authorization modes. This article will talk about implicit mode.

Implicit mode

This mode directly applies the token to the authentication server in the browser without going through the client server, skipping the step of “authorization code”. All steps are completed in the browser and the token is directly passed in the callback url.

It is suitable for applications that directly obtain token in front-end applications.

The steps are similar to the authorization code except that the authorization code is missing:

• Request token from authentication server in browser
• User login (if not previously)
• User authorization
• After authorization, jump directly to redirectUri and carry token in url.

Example

Request token

http://localhost:8080/oauth/authorize?response_type=token&client_id=demoApp&redirect_uri=https://baidu.com

• Note that here response_type=token
• There is no need to pass client secret; the client_id is passed only to verify whether the redirect_uri configured in auth server is consistent.
• If the redirect_uri carries parameters, it is better to encode the url and pass it as parameters

Callback successful

http://localhost:8081/callback#access_token=41f78007-e2ec-4978-9beb-a830b638d4d8&token_type=bearer&expires_in=1199&scope=all

You can find that the url directly carries information such as access_token

Of course, with implicit mode, there is no need to use the client module of spring security oauth2, because you go directly to browser mode.

doc

• Understanding OAuth 2.0
• OAuth2 protocol and springsecurityouth2 implementation
• OAuth2 certification for Spring Boot