# Implicit Grant Flow
**Implicit Grant Flow** is designed primarily for single-page applications (SPAs) or other client-side applications where the client cannot securely store a secret. Tokens (`id_token` and `access_token`) are returned directly from the `/authorize` endpoint, instead of the `/token` endpoint.

Here’s how it works:
1. Client Requests Authorization: The client redirects the user's browser to the `/authorization` endpoint.
2. User Authenticates: The user logs in and consents to the requested scopes.
3. Tokens Returned Directly: The authorization server immediately returns the tokens (ID token and/or access token) directly in the URL fragment of the redirect URI without an intermediate authorization code.

### Key Points of Implicit Grant Flow:
- **Tokens Directly Returned**: Tokens are returned directly from the /authorize endpoint.
- **No Authorization Code**: There is no intermediate step of exchanging an authorization code for tokens.
- <span style="color:red">**Security**</span>: Since tokens are returned in the URL, they may be more susceptible to being intercepted or leaked (e.g., in browser history, logs, or referrer headers).

To visualize the flow:
```sql
Client ----> [Authorization Endpoint]
                       \
                        User Authenticates
                       /
Client <---- [Tokens in URL Fragment or Query String]
```

In [None]:
import sys
sys.path.append('../')
import OAuth2_Flows
import pyperclip

### Some important nuances:
- If you are requesting a `response_type` of `access_token`, it requires a `response_mode` of **fragment**.
    - This is an optional parameter in the function, and **fragment** is set as the default.
    - You are able to pair the `response_type` of `access_token` with `id_token`, however, because you are requesting an access_token the **fragment** requirement still applies.
- If you are just requesting an `id_token`, you can use a `response_mode` of **query** or **fragment**.

#### Fill out the required variables:

In [None]:
tenant_id = ''
client_id = ''
redirect_uri = ''
response_type = 'id_token'
scope = 'openid https://graph.microsoft.com/.default' #offline_access is required for refresh token
state = "A1B2C3D4E5F6"

In [None]:
complete_auth_url = OAuth2_Flows.implicit_flow(tenant_id, client_id, redirect_uri, response_type, scope)
pyperclip.copy(complete_auth_url) # Copy to clipboard
print(f'Complete URL w/ params - Paste In Browser: \n{complete_auth_url}')