A browser-based application might be a JavaScript-based application or a "traditional" server-rendered web application. For these scenarios you will get from us; client id configured for the implicit flow. This flow is optimized for browser-based applications. A characteristic of the implicit flow is that all tokens (identity and access tokens) are delivered through the browser front-channel, which is why refresh tokens are not available in this flow.
Authenticity of the client that is making a request is ensured with the client id and the predetermined URLs that are registered in our system. Those return URLs are attached to your specific client id and this is where the results of the requests are delivered. Only owner of the systems on these URLs can receive the tokens. This flow uses only the authorization endpoint:
When the user tries to access client application, client application makes a GET request to an authorize endpoint.
As a result, user receives the login screen on our identity provider where he needs to enter his credentials.
After successful verification of the credentials, user is redirected to the predefined client redirect URL and at this point client application captures access token from the URL parameter.
Requesting URL from step 1 looks like this:
http://indentity-server-url/connect/authorize?response_type=code&scope=user_api.full_access&client_id= 73e9cf0d-561a-11e9-9b32-000d3a46a880&redirect_uri= http%3A%2F%2Flocalhost%3A3000%2Fcallback
* this is an example call without a real client id