Implicit Grant ⚠️ ⚠️
Not Recommended
This server supports the Implicit Grant, but its use is strongly discouraged due to security concerns. The OAuth 2.0 Security Best Current Practice (RFC 8252) recommends against using the Implicit Grant flow.
For native and single-page applications, the recommended approach is to use the Authorization Code Grant with PKCE (Proof Key for Code Exchange) extension. This method provides better security without requiring a client secret.
If you're developing a web application with a backend, consider using the standard Authorization Code Grant with a client secret stored securely on your server.
Please look at these great resources:
- OAuth 2.0 Implicit Grant
- VIDEO: What's Going On with the Implicit Flow? by Aaron Parecki
- Is the OAuth 2.0 Implicit Flow Dead? by Aaron Parecki (developer.okta.com)