Skip to main content

Implicit Flow

This flow can be used by both web-based and native applications.

  1. The flow starts by redirecting the user to the authorize endpoint using a URL.
    • The URL contains the client ID, requested scopes, and redirection URI to which the authorization web service sends the user after access is granted or denied.
    • The URL is in the following format:
https://auth.agsync.com/core/connect/authorize?client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&response_mode=form_post&response_type=id_token+token&scope=openid+profile+email+agsync+roles&state=STATE&nonce=NONCE
  1. The user is prompted for his or her sign-in credentials and grants or denies the client's access request.
  2. If the user has granted access, the token server redirects the user to the client by using the redirection URI that was provided in the initial request.
    • The redirection is done via a form post to the redirection URI. The access token, identity token, scope and expiration are included in the form post.
    • For example:
    <form
    	method="post"
    	action="REDIRECT_URI"
    >
    	<input
    		type="hidden"
    		name="id_token"
    		value="TOKEN"
    	/>
    	<input
    		type="hidden"
    		name="access_token"
    		value="TOKEN"
    	/>
    	<input
    		type="hidden"
    		name="token_type"
    		value="Bearer"
    	/>
    	<input
    		type="hidden"
    		name="expires_in"
    		value="43200"
    	/>
    	<input
    		type="hidden"
    		name="scope"
    		value="openid profile email agsync roles"
    	/>
    	<input
    		type="hidden"
    		name="state"
    		value="STATE"
    	/>
    	<input
    		type="hidden"
    		name="session_state"
    		value="SESSION_STATE"
    	/>
    </form>