> The Implicit flow is designed specifically for mobile apps or client side Javascript apps where embedded credentials could be compromised. The mechanics are simple in that the application redirects the user to the Identity Provider to authenticate, the IdP passes back token(s), and the application uses it according to the scopes it has.<p>Do not use Implicit Grant in mobile apps unless interacting with an app provider (and even then, Implicit Grant still has some major footguns if you are using it for authn, which most people are). It was absolutely not "designed specifically for mobile apps." If you are talking to the browser you cannot ensure that the access token is delivered to the right place and access tokens are not bound to the relying party. If you are using the access token for authn like suggested here, you let malicious apps impersonate your users.<p>If you are using a mobile app and performing OAuth through the browser, use Authz Code flow with PKCE.