Skip to main content

OAuth 2.0 Implicit Grant

The Implicit Grant is used to grant access tokens to applications in the authorization response.

tip

You can download sample .NET framework code at https://dl1.empowerid.com/files/OAuthTestSampleCode.zip.

Implicit Grant

  1. Initiate a login request to the EmpowerID Authorization endpoint, https://<EID Server>/oauth/v2/ui/authorize

    https://<EID Server>/oauth/v2/ui/authorize
    ?client_id=xxxxxxxxxxxxxxxxxx
    &redirect_uri=https%3A%2F%2Ftestoauthapp.com%2FcallbackUrl
    &response_type=token id_token
    &state=xxxxxxxxxxxxxxxxxx
    &nonce=xxxxxxxxxxxxxxxxxx
    Post Body ParameterRequired/OptionalDescription
    client_idrequiredMust be the EmpowerID OAuth application client identifier.
    redirect_urirequiredClient endpoint to which the authorization server should redirect after request approval.
    response_typerequiredMust be token to initiate implicit flow. For OpenID Connect use token id_token.
    scoperequired for OpenID ConnectInclude openid for OpenID Connect flow.
    staterequiredRandom string value sent by the client to maintain session and prevent CSRF attacks
    noncerequiredRandom string value sent by the client to uniquely identify each request

  2. Authenticate using either EmpowerID credentials or any of the allowed external identity providers.

  3. Authorization server redirects to the redirect_uri with the response parameters in the fragment part of URL.

    redirect_uri
    #access_token=xxxxxxxxxxxxxxxxxx
    &state=xxxxxxxxxxxxxxxxxx
    &token_type=Bearer
    &expires_in=3600
    &id_token=xxxxxxxxxxxxxxxxxx

Implicit Grant using .NET Client Library

  1. Initialize ClientSettings by passing the client_id, client_secret, redirect_uri, token_endpoint, authorization_endpoint, tokeninfo_endpoint and userinfo_endpoint. Also initialize a new ImplicitGrant by passing the clientSettings model.

    var clientSettings = new ClientSettings(
      "client_id",
      "client_secret",
      "redirect_uri",
      "https://<EID Server>/oauth/v2/token",
      "https://<EID Server>/oauth/v2/ui/authorize",
      "https://<EID Server>/oauth/v2/tokeninfo",
      "https://<EID Server>/oauth/v2/userinfo");
                
    var handler = new ImplicitGrant(clientSettings);

  2. Call the BuildAuthorizationRequestPacket() method to build the fully qualified URL to redirect for authentication.

    //Generate random nonce and state
    var nonce = Guid.NewGuid().ToString("N");
    var state = Guid.NewGuid().ToString("N");

    //Use the below code for "token" flow to build parameters
    var parameters = handler.BuildAuthorizationRequestPacket
    (ParameterFormat.FormUrlEncoded, state, null, nonce, null);
            
    //Use the below code for "token id_token" flow to build parameters
    //var responseTypes = new List<ResponseType> { ResponseType.id_token };
    //var parameters = handler.BuildAuthorizationRequestPacket      
    //(ParameterFormat.FormUrlEncoded, state, "openid", nonce, responseTypes);

    //Generate redirect URL
    var redirectUrl = string.Format("{0}?{1}", clientSettings.AuthorizeUrl, parameters);

  3. In the application callback method, extract the access_token, id_token, etc., from the fragment part of the redirect URL.