OAuth 2.0 Implicit Grant Flow
There are a number of security considerations and caveats that you should take into account if you intend to implement the Implicit Grant flow.
- Since access tokens are delivered in the URL in the Implicit Grant flow, the risk of interception is higher than in the Authorization Code grant type.
- Details of the various security threats inherent in the Implicit Grant flow and appropriate countermeasures are documented in section 4.4.2 of OAuth 2.0 Threat Model and Security Considerations.
Please contact email@example.com if you have any questions about implementing the Implicit Grant flow for your application.
Implicit Grant Activity Diagram
The diagram below illustrates the interaction between the various entities comprised by the Implicit Grant flow.
Let's summarize the flow as depicted in the diagram:
- The Procore user opens her browser and navigates to your App's web page.
- Your App displays a page with a button, link, or other control that allows the user to initiate the authorization step with the Procore authentication server.
- The user clicks the control on the page served from the authentication server and initiates the flow.
- The Procore authentication server presents the user with Procore login panel.
- The user enters her Procore credentials and logs in.
- The Procore authentication server responds by displaying the consent dialog.
- The user elects to either allow or deny your App access to their data in Procore.
- Once authorized by the user, the Procore authentication server redirects control back to your App with the access token included in the hash fragment of the redirect URL.
- Your App extracts the access token from the hash fragment of the redirect URL.
- Your App uses the extracted access token and initiates a request to the Procore API on behalf of the user.
- The Procore API processes the request and responds with a JSON object.
- Your App displays the contents of the JSON response object in the user's browser.
- The user views the results of the API call in her browser.
You can download this sample code to help you create a simple SPA that authenticates with Procore and initiates a basic call to the Procore API.
Cross-Origin Resource Sharing (CORS)
When trying to send an API request from a client-side application using the Implicit Grant flow, you may receive an error indicating that "the 'Access-Control-Allow-Origin' header is present on the requested Resource.” For CORS requests from client-side applications, you will need to have your origin domain whitelisted for your App. To do that, please contact firstname.lastname@example.org and provide the domain you wish to have whitelisted.