What is the purpose of the implicit grant authorization type in OAuth 2?

Question

I don\'t know if I just have some kind of blind spot or what, but I\'ve read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a

Answer 1

It boils down to: If a user is running a browser-based, or "public", (JavaScript) web app with no server side component, then the user implicitly trusts the app (and the browser where it runs, potentially with other browser-based apps...).

There is no 3rd-party remote server, only the resource server. There is no benefit to an authorization code, because there is no other agent besides the browser acting on behalf of the user. There is no benefit to client credentials for the same reason. (Any client can attempt to use this flow.)

The security implications, however, are significant. From http://tools.ietf.org/html/rfc6749#section-10.3:

When using the implicit grant type, the access token is transmitted in the URI fragment, which can expose it to unauthorized parties.

From http://tools.ietf.org/html/rfc6749#section-10.16:

A resource owner may willingly delegate access to a resource by granting an access token to an attacker's malicious client. This may be due to phishing or some other pretext...