First look at the client-side flow
Let's, once again, go back to our example of GoodApp wanting to suggest contacts to you by looking at your Facebook friends. Imagine that the GoodApp client application is actually a simple web application hosted in the browser. This is an example of an untrusted client due to its inability to securely store information. The implicit grant type is best suited for this type of client application. Let's look at how the exchange of information (step 4 in the workflow image mentioned in the User consent section) is achieved using the implicit grant type.
An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
Since GoodApp, in this case, is an untrusted client, they cannot be trusted to store or relay any confidential information. Specifically, they cannot store any client credentials or tokens. Because of this, they have a very simple workflow. Here is what the exchange looks like, picking up after...
