Refresher on the implicit grant flow
As you should recall from Chapter 2, A Bird's Eye View of OAuth 2.0, the implicit grant flow is the OAuth 2.0 flow used for untrusted clients. These are typically HTML/JavaScript web applications that do not have the ability to securely store and transmit information, say, from a backend server. Because of this, they have a simpler workflow than other applications using the alternative authorization code grant flow.
Once again, the implicit grant flow looks like this:
In the context of our application, WMIIG (World's Most Interesting Infographic Generator), the sequence of steps are as follows:
The user visits WMIIG and initiates the process to see the world's most interesting infographic.
WMIIG says, "Sure! But I'll need to access your profile and feed data to do so, and for this, I'll need your authorization. Go here…"
WMIIG sends you to Facebook. Here, Facebook asks you directly for authorization for WMIIG to access your profile and feed data on your behalf...