OAuth2 Implicit Grant
In the implicit flow a user authorizes with the authorization server. After that an access token is issued. The access token can then be used to access a resource.
This flow is suitable in situations where the clients credentials can't be kept confidential e.g. an HTML5 Web App running in the browser. The implicit flow uses less requests to get an access token. The client needs to be able to interact with the user agent, e.g. for redirecting.
Securing your Resources with OAuth2 using Membrane
Membrane Service Proxy can be used to authorize HTTP requests based on the RFC 6749 OAuth 2.0 Authorization Framework. It supports the OAuth2 implicit flow.
To specify it in greater detail: Membrane API Gateway can act as the authorization server in the OAuth 2.0 implicit flow.
The flow comprises the steps:
1. The user starts the authorization process by requesting access to the secret resource. 2. The client redirects the user to the authorization server to start the login procedure. 3.1 The user automatically calls the authorization endpoint ( through the redirect of the client ). 3.2 The user authorizes with his/her credentials and accepts the information on the consent page. 4. After successful authorization the user is redirected to the clients callback URL. The URL contains, among other parameters, the access token. 5. The client requests userinfos with his access token. 6. The authorization server answers with the information about the user. 7. The client collects all OAuth2 / OpenID Connect data ( which can then be further prepared for the secret resource e.g. with a Groovy interceptor ) and starts retrieving the secret resource. 8. + 9. The resource is delivered to the user.
See $MEMBRANE_HOME/examples/oauth2/implicit in the Membrane Service Proxy distribution for a working example.