OIDC Implicit Flow (Legacy)

OpenID Connect Implicit flow returns tokens directly from the authorization endpoint (OIDC Core §3.2). ⚠️ DEPRECATED: Not recommended for new applications due to token exposure in browser history and URL. Use Authorization Code + PKCE instead.

Try in Looking Glass
ID Token

Sequence Diagram

Click any step for details

ClientAuth ServerUser1Authentication Request2User Authentication & Consent3Token Response via Fragment4ID Token Validation
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Authentication Request
ClientOpenID Provider
2
User Authentication & Consent
UserOpenID Provider
3
Token Response via Fragment
OpenID ProviderClient
4
ID Token Validation
ClientClient

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.