The Implicit flow has been omitted in OAuth 2.1 specification. It is no longer recommended to use Implicit flow for SPAs. Please refer to authorization code flow with PKCE for SPAs
Implicit flow is a simplified version of the authorization code. In this grant type, the client receives the access and ID tokens directly in an authorization request (via a redirect), over a secure communication channel, with no intermediate authorization code requested or returned.
This guide describes how implicit flow can be integrated with CyberArk Identity using the CyberArk Identity Java SDK.
Configure the OIDC client instance as below:
import com.cyberark.client.OIDCClient; // client secret parameter is not necessary for Authorization code flow with PKCE. OIDCClient oidcClient = new OIDCClient(YOUR_TENANT_URL, YOUR_OIDC_APPLICATION_ID, YOUR_CLIENT_ID);
The client application should send an authorization request using
AuthorizeUrlBuilder to authenticate the user with the CyberArk Identity provider as shown below:
AuthorizeUrlBuilder authorizeUrlBuilder = identityOIDCClient.authorizeUrl(YOUR_REDIRECT_URL) .setResponseType("id_token token") // id_token response_type is mandatory for Implicit flow. .setScope("openid email"); // To get authorize URL String authURL = authorizeUrlBuilder.build();
redirectUri must be white-listed in the Authorized Redirect URIs section under the Trust section of the OpenID Connect web application.
The user will be redirected to the redirect URI and the access and ID tokens are sent as part of the redirect URI.
Updated about 1 year ago