How does the implicit grant flow work?

Question

On this page, https://github.com/doorkeeper-gem/doorkeeper/wiki/Supported-Features, it mentions support for Implicit Grants. It looks like the authorizations#create is the endpoint I want and it does return an access_token but it doesn't return the other parameters that are required.

Request

https://localhost/oauth/authorize?client_id=<client_id>&response_type=token&redirect_uri=urn:ietf:wg:oauth:2.0:oob

I get redirected to:

Redirect

https://localhost?access_token=<access_token> with the body:
{"resource_owner_id":<user_id>,"scopes":[],"expires_in_seconds":7776000,"application":{"uid":"<client_id>"},"created_at":1484857630}

What I need per the spec, is a redirect with query parameters:

https://localhost#access_token=<access_token>&token_type=bearer&expires_in=<seconds>&scope=<scope>

• Is the use of the testing redirect value of "redirect_uri=urn:ietf:wg:oauth:2.0:oob" changing the response?

• Also notice the ? instead of the # just before the response query parameters. I'm not sure what the spec says on that but Amazon OAuth2 clients require the # sign.

• How do I get the token_type=bearer be included?

Thanks.

Answer 1

I was able to get my service working by looking at the code. So the answers to my questions above are:

urn:ietf:wg:oauth:2.0: is called the native URI. There is branching in the code which alters the response when it's set to the native URI. Using ngrok to create an externally callable endpoint on my local machine, I used a true redirect_uri value and Doorkeeper responded with the correct parameters in the response (including the token_type=bearer and # sign).

Note: It worked from my Amazon Alexa skill only after modifying the Doorkeeper code to allow redirect URLs that contain query parameters. Amazon's redirect URLs are in the format https://pitangui.amazon.com/spa/skill/account-linking-status.html?vendorId=<vendorId> which is currently not supported by Doorkeeper and an error is thrown about an Invalid Redirect URI.