Implicit flow - Idura Verify Documentation
IduraDocumentation
  1. Verify
  2. Reference
  3. Authorization flows
  4. Implicit flow

Protocol overview

The Implicit flow returns an ID token directly in the browser via the # fragment (so there is no code exchange like in the authorization code flow). This means that the token is exposed to the user agent and potentially to malicious actors, which can lead to token interception or leakage. For this reason, the Implicit flow should not be used in production applications and is considered a legacy flow. It remains available in test environment for debugging and testing.

@criipto/auth-js supports Implicit flow.

Example request

GET https://YOUR_SUBDOMAIN.idura.broker/oauth2/authorize?
    response_type=id_token&
    response_mode=fragment&
    client_id=CLIENT_ID&
    redirect_uri=YOUR_REDIRECT_URL&
    acr_values=CHOSEN_IDENTITY_SERVICE&
    scope=openid&
    state=YOUR_STATE

Example response

HTTP/1.1 302 Found
Location: YOUR_REDIRECT_URL#id_token=eyJ[...].eyJ[...].Sfl[...]&state=[...]