How secure is Oauth 2.0 Implicit Grant?

Question

In Implicit Grant, the access token is sent back in the callback URL. Is this not a security risk because, if this callback URL is cached in the hop. In general it is advise

Answer 1

Elaborating on @vlatko's response...

To mitigate the risk of sending the token in the fragment (or via any other OAuth2 grant):

• ensure that the OAuth endpoint and the callback endpoint are TLS (https) (See countermeasures)
• send a state parameter to prevent cross-site forgery (Also see: http://tools.ietf.org/html/rfc6749#section-4.2.1)

Issuing short-lived access token (as @vlatko said) will reduce the impact of a leaked token, but is not a preventative measure.