> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how the OIDC-conformant pipeline affects the Implicit Flow.

# Implicit Flow with OIDC

Traditionally, the [Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post) was used by applications that were incapable of securely storing secrets. Using this flow is no longer considered a best practice for requesting <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+tokens">access tokens</Tooltip>; new implementations should use [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). However, when used with Form Post response mode, Implicit Flow does offer a streamlined workflow if the application needs only an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> to perform user authentication; in these cases, it would be used as part of the [Hybrid Flow](/docs/get-started/authentication-and-authorization-flow/hybrid-flow).

<Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+tokens">Refresh tokens</Tooltip> will no longer be returned when using the Implicit Flow for authentication.

In addition, the OIDC-conformant pipeline affects the Implicit Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.

## Authentication request

### Legacy

```http lines
GET /authorize?
    response_type=token
    &scope=openid email favorite_color offline_access
    &client_id=123
    &state=af0ifjsldkj
    &redirect_uri=https://app.example.com
    &device=my-device-name
```

The `device` parameter is only needed if requesting a refresh token by passing the `offline_access` scope. To learn more, read [Refresh Tokens](/docs/secure/tokens/refresh-tokens).

### OIDC-conformant

```http lines
GET /authorize?
    response_type=token id_token
    &scope=openid email
    &client_id=123
    &state=af0ifjsldkj
    &nonce=jxdlsjfi0fa
    &redirect_uri=https://app.example.com
    &audience=https://api.example.com
```

* `response_type` indicates that we want to receive both an access token and ID token.
* Refresh tokens are not allowed in the implicit grant. Use `prompt=none` instead. To learn more read [Configure Silent Authentication](/docs/authenticate/login/configure-silent-authentication).
* `favorite_color` is no longer a valid scope.
* `audience` is optional.
* `nonce` must be a cryptographically secure random string. To learn more, read [Mitigate Replay Attacks When Using the Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow).

## Authentication response

### Legacy

```json lines
HTTP/1.1 302 Found
Location: https://app.example.com/#
    access_token=SlAV32hkKG
    &expires_in=86400
    &state=af0ifjsldk
    &id_token=eyJ...
    &refresh_token=8xLOxBtZp8
    &token_type=Bearer
```

* The returned access token is valid for calling the [`/userinfo`](https://auth0.com/docs/api/authentication#get-user-info) endpoint.
* A refresh token will be returned only if a `device` parameter was passed and the `offline_access` scope was requested.

### OIDC-conformant

```json lines
HTTP/1.1 302 Found
Location: https://app.example.com/#
    access_token=eyJ...
    &expires_in=86400
    &state=af0ifjsldk
    &id_token=eyJ...
    &token_type=Bearer
```

* The returned access token is valid for calling the [`/userinfo`](https://auth0.com/docs/api/authentication#get-user-info) endpoint (provided that the API specified by the `audience` param uses `RS256` as [signing algorithm](/docs/get-started/applications/signing-algorithms)) and optionally the <Tooltip tip="Resource Server: Server hosting protected resources. Resource servers accept and respond to protected resource requests." cta="View Glossary" href="/docs/glossary?term=resource+server">resource server</Tooltip> specified by the `audience` parameter.
* If using `response_type=id_token`, Auth0 will only return an ID token.
  Refresh Tokens are not allowed in the implicit grant. Use `prompt=none` instead.

## ID token structure

### Legacy

```json JSON lines
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "favorite_color": "blue"
}
```

### OIDC-conformant

```json JSON lines
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "https://app.example.com/favorite_color": "blue",
    "nonce": "jxdlsjfi0fa"
}
```

* The `favorite_color` claim must be namespaced and added through a rule. To learn more, read [Create Namespaced Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
* After validating the ID token, the application must validate the <Tooltip tip="Nonce: Arbitrary number issued once in an authentication protocol to detect and prevent replay attacks." cta="View Glossary" href="/docs/glossary?term=nonce">nonce</Tooltip> to mitigate replay attacks.

## Access token structure (optional)

### Legacy

```bash HTTP lines
SlAV32hkKG
```

The returned Access Token is opaque and only valid for calling the `/userinfo` endpoint.

### OIDC-conformant

```json JSON lines
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": [
        "https://api.example.com",
        "https://{yourDomain}/userinfo"
    ],
    "azp": "123",
    "exp": 1482816809,
    "iat": 1482809609,
    "scope": "openid email"
}
```

* The returned access token is a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> valid for calling the `/userinfo` endpoint (provided that the API specified by the `audience` param uses `RS256` as [signing algorithm](/docs/get-started/applications/change-application-signing-algorithms)) as well as the resource server specified by the `audience` parameter.
* An opaque access token could still be returned if `/userinfo` is the only specified <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip>.

## Learn more

* [Access Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens)
* [External APIs with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis)
* [Authorization Code Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow)
* [Client Credentials Flow with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow)
* [Delegation with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-delegation)
* [Refresh Tokens with OIDC](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens)
