Implicit Flow

Last updated: December 18, 2018


OAuth 2.0

At Decathlon, we value the integrity and security of our members' data above all else.  In order for your applications to access Decathlon member data and/or act on their behalf, they must be Authenticated.  To make this process as easy as possible, Decathlon relies on the industry standard OAuth 2.0 protocol for granting access. 

The implicit grant is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly (as the result of the resource owner authorization). The grant type is implicit, as no intermediate credentials (such as an authorization code) are issued (and later used to obtain an access token).

When issuing an access token during the implicit grant flow, the authorization server does not authenticate the client. In some cases, the client identity can be verified via the redirection URI used to deliver the access token to the client. The access token may be exposed to the resource owner or other applications with access to the resource owner's user-agent.


Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token. `

However, this convenience should be weighed against the security implications of using implicit grantsespecially when the authorization code grant type is available.

OAuth 2 is a RFC stantard, you can fin the full documentation here


Configuring your application

If you have not already done so, request for your application creation.

Useful Tip:

In order to request your access you will need to provide us some informations
  • Application Name (displayed to User)
  • Redirect URI (can have multiple)
  • Logo (100x100 .png)
  • Your Privacy Policy URL
  • Your Terms of Service URL
  • Your Logout URL
  • The scope you need to access to :

To prevent fraudulent transactions during the authentication process, we will only communicate with URLs that you have identified as trusted endpoints.
Ensure the "OAuth 2.0 Redirect URLs" field for your application contains a valid callback URL to your server that is listening to complete your portion of the authentication workflow.

Once created, your application will be assigned a unique Client ID value.

How To Implement ?

Using the Implicit Flow

It's time to request a Token. 
Kicking off this flow is very similar to the authorization code flow except that the response_type is token and/or id_token instead of code.

Redirecting the User

To request an authorization code, you must direct the user's browser to Decathlon Login's OAuth 2.0 authorization endpoint.

  • If the user has not previously accepted the application's permission request, or the grant has expired or been manually revoked by the user, the browser will be redirected to Decathlon Login's authorization screen.
  • If there is a valid existing permission grant from the user, the authorization screen is by-passed

When the user completes the authorization process, the browser is redirected to the URL provided in the redirect_uri query parameter.


Parameters :
Parameter Description Required
client_id The "API Key" value generated when you registered your application. Yes

The URI your users will be sent back to after authorization.  This value must match one of your configured OAuth 2.0 Redirect URLs

response_type The value of this field should always be: token for this flow (code for Authorization Code Flow) Yes

A unique string value of your choice that is hard to guess. Used to prevent CSRF


A URL-encoded, space delimited list of member permissions your application is requesting on behalf of the user. 


Example :

Application is approved

If the user was not logged in, Decathlon Login will ask him for a login and a password.
If it the first time he use your application OR if you asked for a new scope access, he will have to approve your application's request to access datas.
This approval instructs Decathlon Login to redirect the user back to your redirect_uri parameter.

Once authenticated the user will arrive at the specified redirect_uri along with a token as below:



Your application must now extract the token(s) from the URI and store them. This acces token has a short lifetime.

Terms & Services