Integrate the OIDC Implicit Code

This topic describes the Java SDK OIDC Implicit flow integration.


The Implicit flow is required for apps and websites that have no back end logic on the web server, and where everything that is passed between the app or website and the Authorization server can be viewed using browser development tools.
Use the Implicit Flow for applications that cannot maintain the secrecy of a client secret (for example, browser-based applications).
The application obtains an access token directly in an authorization request (via a redirect), over a secure communication channel, with no intermediate authorization code requested or returned.

Before you begin

Integrate the SDK

Follow the steps below to use this SDK to get the access_token, id_token and User Info.

Step 1: Configure an OIDC Client instance

  • Import the SDK as specified in the Before you get started section.
  • Pass the required parameters to create an OIDCClient instance.
import com.cyberark.client.OIDCClient;

// client secret parameter is not necessary for Implicit flow.

Step 2: Build an authorize URL

Create an AuthorizeUrlBuilder to authenticate the user with the CyberArk Identity provider. The redirectUri must be white-listed in the Authorized Redirect URIs section under the Trust section of the OpenID Connect web application.

Call the following builder methods using the OIDCClient instance.

AuthorizeUrlBuilder authorizeUrlBuilder = identityOIDCClient.authorizeUrl(YOUR_REDIRECT_URL)
    .setResponseType("id_token token") // id_token response_type is mandatory for Implicit flow.
    .setScope("openid email");

// To get authorize URL
String authURL =;
https://YOUR_TENANT_URL/OAuth2/Authorize/YOUR_OIDC_APPLICATION_ID?redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_OIDC_CLIENT_ID&scope=openid email&response_type=id_token,token

Redirect to the authorize URL obtained above and post authentication with CyberArk Identity. In case of unauthentication, receive the id_tokenandtoken` as part of the redirected URL mentioned above.

https://YOUR_REDIRECT_URI#responseType=token,id_token&access_token=YOUR_ACCESS_TOKEN&token_type=Bearer&expires_in=18000&id_token=YOUR_ID_TOKEN&scope=openid email

Based on the requested response_type, id_token and access_token are received in the redirect resource itself.


Supported Response types for Implicit Flow

  • id_token
  • id_token token

access_token is useful in accessing the resources by your front end applications to get immediate user identity.

Step 3: Get User Info

To get user information using the User Info method, use the access_token.

UserInfo userInfo = identityOIDCClient.userInfo(YOUR_ACCESS_TOKEN)
  aud: "518b31c8-225e-47c0-b489-2f091157eb5c",
  auth_time: 1636107642,
  email: "YOUR_USER_EMAIL",
  email_verified: true,
  family_name: "YOUR_USER_NAME",
  given_name: "YOUR_USER_NAME",
  name: "YOUR_USER_NAME",
  preferred_username: "YOUR_COMPLETE_USER_NAME",
  sub: "bcce5189-93a0-4bd4-91a9-d5f6ee0fa6e4",
  unique_name: "YOUR_COMPLETE_USER_NAME"

Common Methods

For common methods, such as refreshToken, revokeToken and claims, refer to CyberArk Identity Java SDK reference.