# Implicit Flow

> ⚠️ **It is not recommended to use the implicit flow**
due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.


Implicit grant type is an OAuth 2.0 protocol flow for authenticating users, and is designed for legacy
applications. We recommend Authorization Code flow for retrieving user tokens if possible,
this ensures that no access tokens are sent to the browser.

If you are writing a native or single-page applications that can not store a
`client_secret` securely we recommend [Authorization Code with PKCE](/apis/platform/ids/flows/authorization-code-with-pkce).

## Authorize request

Initiating an authorization code flow is done with a `GET /connect/authorize` request. You provide your `client_id`,
the required `scope` together with a `redirect_uri` where the authorization code will be returned. Make sure that
`response_type` is set to `code`. This will cause the authorization request to return a `code` parameter to
the endpoint given in `redirect_uri`, you will use the value of this in the following [token request](#token-request).

### GET /connect/authorize


```HTTP request
GET https://id.aritma.io/{tenant}/connect/authorize?scope=SCOPE&response_type=token&client_id=YOUR_CLIENT_ID&redirect_uri=https://YOUR_APP/callback&state=STATE HTTP/1.1
```


```HTTP response
HTTP/1.1 302 Found
Location: https://YOUR_APP/callback#access_token=ACCESS_TOKEN&token_type=Bearer&expires_in=EXPIRES_IN&scope=SCOPE&state=STATE
```

| Parameter | Description |
|  --- | --- |
| `scope` (required) | The scopes which you want to request authorization for. Must be a `resource scope`, but not an `identity scope` such as `profile` and `openid`. |
| `response_type` (required) | Indicates to Aritma ID which OAuth 2.0 flow you want to perform. Use `token` for implicit Flow. |
| `client_id` (required) | Your application's ID. |
| `state` (recommended) | An opaque value the application adds to the initial request that Aritma ID includes when redirecting the back to the application. This value can be used by the application to prevent CSRF attacks. |
| `redirect_uri` (required) | The URL to which Aritma ID will be redirected to after authorization has been granted by the user. |
| `acr_values` | One or more values that controls how the authentication process is, use `mfa` to force a user with an active session to re-enter his/her/their mfa token (must be used together with `prompt=login`). See [Authentication Context Class References](/apis/platform/ids/acr_values) |