How to: Perform an OpenID Connect 1.0 Implicit Grant.

This OpenID Connect 1.0 flow is typically used in situations where the app is unable or cannot securely store the client secret. If you are building a Single Page App or a mobile App using JavaScript and a framework like PhoneGap, this is the prefered way to authenticate and call our and your API's from your app. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. See http://openid.net/specs/openid-connect-core-1_0.html

Initiating the flow

To signin and obtain an access token for the user, you initiate this flow by redirecting the user to the following url:

Example request

GET /{tenant}/oauth2/v1/auth/?
    response_type=id_token%20token
    &client_id=[YOUR_CLIENT_ID]
    &redirect_uri=https://[YOUR_APP_REDIRECT_URI]/
    &scope=openid%20[SCOPES]
    &state=[STATE]
    &nonce=[NONCE]

Handling the response

After the user authenticates, we will redirect the token to https://[YOUR_APP_REDIRECT_URI]/

The access token and state will be sent in the url's fragment. This will allow your JavaScript code on the callback page, to get the fragment and parse out the access token and state. Normally you will use the state to remember where the user was before he was redirected to the signin page. The expires_in parameters holds the number of seconds the access token will be valid.

Example response

https://[YOUR_APP_REDIRECT_URI]/#
    access_token=X5678IYHI690UJJJ000
    &token_type=bearer
    &expires_in=960
    &scope=[SCOPES]
    &state=[STATE]
    &id_token=[IDTOKEN]
The ID token is in the format <Base64UrlEncodedHeader>.<Base64UrlEndcodedPayload>.<Base64UrlEncodedSignature> See http://openid.net/specs/openid-connect-core-1_0.html

Related sections

GET {tenant}/oauth2/v1/auth
POST {tenant}/oauth2/v1/token
GET {tenant}/oauth2/v1/verify