Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.
Most important to note, the implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. In the case of Azure AD, you are redirected to the AzureAD sign on process to perform this authentication.
Applications provisioned in Azure AD are not enabled to use the OAuth2 implicit grant by default.You need to explicitly opt in. Here is how,
- Go to your WebAPI registered in AzureAD, go to “Configure”.
- Click on the Manage Manifest button, download the manifest file.
- Open the manifest file and search for the oauth2AllowImplicitFlow property. Default is false, change it to true.
- Upload this manifest file back into your web api, save.
That’s it! You are now implicit grant enabled. Party!