In the previous post we covered below grant type
here we’d be looking at the Implicit Grant Type.
Instead of getting the authorization code from the Authorization Server like in case of Authorization Grant and then using the authorization code (along with Client Secret) to get the access token. In case of Implicit Grant, the client application directly requests for the access token from the Authorization Endpoint.
We need to pass the below details
to the Authorization URL à
The redirect_uri must match against the one registered, this way the Authorization Server, makes sure that there are no unauthorized client applications requesting the token.
Some of the drawbacks are that the Access Tokens are exposed to resource owner in the URL and also there is no validation that the access token is meant for that particular client.
To get started à
Register your application with the Azure Active Directory tenant. Copy the Client Id.
For Redirect URI we will set the URL of the single page application which we will be developing later. So specify any valid URL there.
Enable the application for the Implicit Flow by setting oauth2AllowImplicitFlow as true from Manifest of the application.
Or from the Authentication section.
From Postman à
Go to Authorization tab and click on Get New Access Token button
Specify Grant Type as implicit, along with CallBack Url i.e. redirect_uri and the client id.
Here for the Auth URL, we should have the resource query parameter specified in the Authorization Endpoint which refers to our Dynamics CE Organization.
Click on Request Token to get the access token.
Inside Fiddler: We’d see the following parameter being passed to the authorization endpoint.
Clicking on Request Token will open the popup for us to login and provide the consent.
The access token à
Let us try changing the Callback Url and send the request again
We’d get the below error
As was mentioned earlier –
The redirect_uri must match against the one registered in the application, this way the Authorization Server, makes sure that there are no unauthorized client applications requesting the token.
Hope it helps..