Order
The first three articles talked about client credentials, password and authorization code authorization modes. This article will talk about implicit mode.
Implicit mode
This mode directly applies the token to the authentication server in the browser without going through the client server, skipping the step of “authorization code”. All steps are completed in the browser and the token is directly passed in the callback url.
It is suitable for applications that directly obtain token in front-end applications.
The steps are similar to the authorization code except that the authorization code is missing:
- Request token from authentication server in browser
- User login (if not previously)
- User authorization
- After authorization, jump directly to redirectUri and carry token in url.
Example
Request token
http://localhost:8080/oauth/authorize?response_type=token&client_id=demoApp&redirect_uri=https://baidu.com
- Note that here response_type=token
- There is no need to pass client secret; the client_id is passed only to verify whether the redirect_uri configured in auth server is consistent.
- If the redirect_uri carries parameters, it is better to encode the url and pass it as parameters
Callback successful
http://localhost:8081/callback#access_token=41f78007-e2ec-4978-9beb-a830b638d4d8&token_type=bearer&expires_in=1199&scope=all
You can find that the url directly carries information such as access_token
Of course, with implicit mode, there is no need to use the client module of spring security oauth2, because you go directly to browser mode.