> For the complete documentation index, see [llms.txt](https://guide-api-rest.marmicode.fr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://guide-api-rest.marmicode.fr/securite-des-apis-rest/oauth-2/oauth-2-implicit-flow.md). # OAuth 2 Implicit Flow L'**Implicit Flow** est un mode dégradé de l'[**Authorization Code Flow**](/securite-des-apis-rest/oauth-2/oauth-2-authorization-code-flow.md). Il est inévitable quand le **Client** est public *(non confidentiel).* ![OAuth 2 Implicit Flow](/files/-LFLsdRcN1UMrOGT2I4o) 1\. Le **Client** redirige le **Resource Owner** vers l'**Authorization Server** :
```javascript https://accounts.google.com/o/oauth2/v2/auth? response_type=token &client_id=CLIENT_ID &redirect_uri=CALLBACK_URL &scope=read &state=... ``` 2\. Le **Resource Owner** confirme ou rejette les autorisations d’accès demandées sur l’interface proposée par l'**Authorization Server**. 3\. L'**Authorization Server** redirige le **Resource Owner** vers le **Client** qui reçoit alors directement l'**Access Token** dans le fragment de l’URL. ```javascript https://cal-tracker.wishtack.io/oauth/callback# access_token=ACCESS_TOKEN &token_type=bearer &scope=... &state=... ``` Le fragment est utilisé pour éviter de transmettre l'**Access Token** au service de "hosting" de l'application. 4\. Le **User-Agent** suit donc la redirection mais le fragment ne quitte pas le **Device**. 5\. Le **Client** exécute alors le code permettant d’extraire l'**Access Token** du fragment. {% hint style="warning" %} Certains “User-Agents” coquins ont tendance à perdre les fragments\ {% endhint %} {% hint style="danger" %} Le **Resource Owner** détient l'**Access Token** et peut donc court-circuiter le **Client** pour communiquer directement avec le **Resource Server**. Autrement dit, en cas de **man-in-the-middle**, un attaquant peut demander des autorisations au nom du **Client** et utiliser librement l'**Access Token** pour communiquer avec le **Resource Server**. C’est pour ces raisons entre autres qu’il est recommandé d’utiliser l'[Authorization Code Flow](/securite-des-apis-rest/oauth-2/oauth-2-authorization-code-flow.md). {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://guide-api-rest.marmicode.fr/securite-des-apis-rest/oauth-2/oauth-2-implicit-flow.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.