Implicit Grant

Authorization Request

The application first needs to decide which permissions it is requesting, then send the user to a browser to get their permission. To initiate this implicit flow, form a URL as below and redirect the end user's browser to the URL:

        Get http://<wp_base_url>/wp-json/moserver/authorize?
        &client_id= <client_id_goes_here>
        &redirect_uri= <callback_url>
        &scope= <permissions_requesting>
        &state= <security_token>
  • response_type=token : The type of response you are expecting. This tells authorization server that application is initiating implicit flow. Note the difference from the Authorization Code flow where this value is set to code.

  • client_id : The Client ID provided by the OAuth provider.

  • redirect_uri : Callback Url to which user will be redirected once they allow or disallow the access to your app.

  • scope : One or more space seperated strings which indicates the permission your application requesting.

  • state : The application generates a random string and includes it in the request. It should then check that the same value is returned after the user authorizes the app.

If the user allows access to your app, thier browser will be redirected to the supplied redirect url and request will include token and state parameters in the query string.

For example, the user can be redirected back to callback URL such as

Sample Response:


Note the two major differences between this and the Authorization Code flow: the access token is returned instead of the authorization code in the response.

The client can then use the access_token to access protected resources from Resource server.
Here, is the description for each parameter received in the response.

  • access_token : access token for the Userinfo endpoint.

  • token_type : OAuth 2.0 token type value. The value must be Bearer.

  • expires_in : The expiry time for the access token.

  • scope: One or more space seperated strings which indicates the permission your application requesting.

Resource Request

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. The returned Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.

The following is a non-formative example of Userinfo Request:

        GET http://<wp_base_url>/wp-json/moserver/userinfo
        Authorization: Bearer <access_token>

Sample Response:

Below is Example :

            "id": "1",
            "username": "abc",
            "first_name": "xyz",
            "last_name": "example",
            "picture": "",
            "email": "",
            "locale": "en",...