Deprecated OAuth Flow

OAuth Implicit Grant (response_type=token)

warningSecuritydeprecated-oauth-flow

Why this matters

The Implicit Grant exposes access tokens in the URL fragment, making them visible in browser history, referrer headers, and server logs. It's been deprecated by OAuth 2.1.

✗ Bad

const authUrl = `https://auth.example.com/authorize
  ?response_type=token
  &client_id=${CLIENT_ID}
  &redirect_uri=${REDIRECT_URI}`;

✓ Good

const authUrl = `https://auth.example.com/authorize
  ?response_type=code
  &client_id=${CLIENT_ID}
  &redirect_uri=${REDIRECT_URI}
  &code_challenge=${challenge}
  &code_challenge_method=S256`;

How to fix

Use the Authorization Code flow with PKCE instead of the Implicit Grant. This keeps tokens out of the URL and is the recommended approach for all OAuth clients.

All rules