Hi Adam,
I'm not 100% sure what you're envisioning as an alternative to the implicit
flow, but if I'm reading between the lines of your question correctly,
there are two key parts to the answer, because the implicit flow is
designed to accomplish two key goals (vs. the authorization code grant):
It isn’t an extra step, the call back via 302 has to be to a URI in the
location header. The JS loaded by that URI may already be cached in the
browser as part of the APP.
The cached JS typically extracts the token and uses it. The token is never
passed to the server where the JS is loaded f
Hi,
Having spent most of my time with native apps and web apps, I now am looking at
use cases where I need to implement a user-agent-based app. The Implicit flow
seems to be optimized for this.
To test my understanding, this flow is for a JavaScript client (or similar)
executing within a web
