OAuth 2 Implicit Grant in ACS - nordvall/TokenClient GitHub Wiki

The flow consist of:

• the Client makes a request to the authorization server, with the client_id, redirect_uri and scope included. *
• The user logs in and approves the permission
• The authorization server returns an access token to the redirect_uri

* No client secret is included, because this flow is meant to be run at the users equipment, and you don't want to distribute the client secret to all your users.

This grant is not supported in ACS.

• ACS has no authorization endpoint to send the request to,
• ACS has also no knowledge of the end user credentials to be able to authenticate them.

Your own backend application could teoretically implement this grant, as in Authorization Code grant. But you need both the client_id and client_secret to get an access token from ACS, and your backend application has no, or at least should not have, knowledge of the client secret.