API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

Implicit grant (or user agent) flow

The implicit grant (user agent) authentication flow is used by client applications (consumers) residing on the user's device. This can be implemented in a browser using a scripting language such as JavaScript, or from a mobile device, or a desktop application. These consumers cannot keep the client secret confidential (application password or private key).

The user agent flow is as follows:

  1. The web server redirects the user to the API Gateway acting as an authorization server to authenticate and authorize the server to access data on their behalf.
  2. After the user approves access, the web server receives a callback with an access token in the fragment of the redirect URL.
  3. After the token is granted, the application can access the protected data with the access token.

OAuth 2.0 User Agent Flow

Obtain an access token

This section details the steps for obtaining an access token.

Web server redirects user to authorization endpoint

Redirect the user to the authorization endpoint with the following parameters:

Parameter Description


Required. Must be set to token.


Required. The client ID generated when the application was registered in the Client Application Registry.


Optional. The location where the access token will be sent. This value must match one of the values provided in the Client Application Registry.


Optional. A space delimited list of scopes, which indicates the access to the resource owner's data requested by the application.


Optional. Any state the consumer wants reflected back to it after approval during the callback.

The following is an example URL:

Note   During this step the resource owner user must approve access for the application (web server) to access their protected resources, as shown in the following example window.

OAuth 2.0 Implicit Grant Flow - Grant Access

Web server receives callback with access token

The response to the above request is sent to the redirect_uri. If the user approves the access request, the response contains an access token and the state parameter (if included in the request). For example:


If the user does not approve the request, the response contains an error message.

After the request is verified, the API Gateway sends a response to the client. The following parameters are contained in the fragment of the redirect:

Parameter Description


The token that can be sent to the resource server to access the protected resources of the resource owner (user).


The remaining lifetime on the access token.


Indicates the type of token returned. This field always has a value of Bearer.


Optional. If the client application sent a value for state in the original authorization request, the state parameter is populated with this value.

Web server uses access token to access protected resources

After the application obtains an access token, it can gain access to protected resources on the resource server by placing it in an Authorization:Bearer  HTTP header:

GET /oauth/protected HTTP/1.1
Authorization:Bearer O91G451HZ0V83opz6udiSEjchPynd2Ss9

For example, the curl  command to call a protected resource with an access token is as follows:

curl -H "Authorization:Bearer O91G451HZ0V83opz6udiSEjchPynd2Ss9" 

Run the sample client

The following Jython sample client creates and sends an authorization request for the implicit grant flow to the authorization server:


To run the sample, perform the following steps:

  1. Open a shell prompt at the INSTALL_DIR/samples/scripts directory.
  2. Execute the following command:
  3. > run oauth/implicit_grant.py
  4. The script outputs the following:
  5. > Go to the URL here:
    Enter Access Token code in dialog
  6. After the resource owner has authorized and approved access to the application, the authorization server redirects to the redirection URI a fragment containing the access token. For example:
  7. https://localhost/oauth_callback#
  8. In this example, the access token is:
  9. 4owzGyokzLLQB5FH4tOMk7Eqf1wqYfENEDXZ1mGvN7u7a2Xexy2OU9
  10. Enter this value into the Enter Access Token from fragment  dialog.
  11. Entering OAuth 2.0 Access Token
  12. The script attempts to access the protected resource using the access token. For example:
  13. **********************ACCESS TOKEN RESPONSE******************************
    Access token received from authorization server 4owzGyokzLLQB5FH4tOMk7Eqf1wqYfEN
    Now we can try access the protected resource using the access token
    Executing get request on the protected url
    Response from protected resource request is:200
    <html>Congrats! You've hit an OAuth protected resource</html>

Related Links