Integrate authentication using OIDC implicit flow



The Implicit flow has been omitted in OAuth 2.1 specification. It is no longer recommended to use Implicit flow for SPAs. Please refer to authorization code flow with PKCE for SPAs



  1. Setup OpenID Connect (OIDC) custom application in CyberArk Identity tenant
  2. Install the CyberArk Identity Java SDK

Implicit flow is a simplified version of the authorization code. In this grant type, the client receives the access and ID tokens directly in an authorization request (via a redirect), over a secure communication channel, with no intermediate authorization code requested or returned.

This guide describes how implicit flow can be integrated with CyberArk Identity using the CyberArk Identity Java SDK.

Configure an OIDC Client instance

Configure the OIDC client instance as below:

import com.cyberark.client.OIDCClient; 

// client secret parameter is not necessary for Authorization code flow with PKCE.

Build an authorize URL

The client application should send an authorization request using AuthorizeUrlBuilder to authenticate the user with the CyberArk Identity provider as shown below:

AuthorizeUrlBuilder authorizeUrlBuilder = identityOIDCClient.authorizeUrl(YOUR_REDIRECT_URL)
    .setResponseType("id_token token") // id_token response_type is mandatory for Implicit flow.
    .setScope("openid email");

// To get authorize URL
String authURL =;

Note: The redirectUri must be white-listed in the Authorized Redirect URIs section under the Trust section of the OpenID Connect web application.

The user will be redirected to the redirect URI and the access and ID tokens are sent as part of the redirect URI.