Auth0 Home Blog Docs

What is future of the implicit grant?



I’ve read several places (such as, for example, here: ) that the implicit grant is no longer recommended for SPAs and mobile apps. Rather, the authorization code flow should be used without a client secret. What is Auth0’s plans and recommendations regarding implicit grants vs. authorization code flows?


At this point both grants are supported, in terms of recommendation the best thing you can do is analyse the options available and their characteristics, choose the one that better matches your requirements and proceed any security measures that are recommended to mitigate against the attack vectors associated with your choice.

For native applications I don’t believe there was ever a general recommendation for the use of the implicit grant. In general, these applications used the authorization code grant and in particular the PKCE version of that grant.

For SPA’s the end result will likely mean a token within the browser so although there are certain characteristics of an implicit grant with the default response mode of fragment that require additional attention, simply moving from an implicit grant to an authorization code grant within the scope of a SPA and then expecting that everything will now be fine is probably not a good idea.