why was implicit flow conceived?
The OAuth2.0 Implicit Flow allows to obtain an Access Token directly with just one call to the Authorization Server (AS), without the need of a second POST request to the same AS.
According to this article, the OAuth2.0 Implicit Flow was conceived as:
The Implicit flow in OAuth 2.0 was created nearly 10 years ago, when browsers worked very differently than they do today. The primary reason the Implicit flow was created was because of an old limitation in browsers. It used to be the case that JavaScript could only make requests to the same server that the page was loaded from. However, the standard OAuth Authorization Code flow requires that a POST request is made to the OAuth server’s token endpoint, which is often on a different domain than the app. That meant there was previously no way to use this flow from JavaScript. The Implicit flow worked around this limitation by avoiding that POST request, and instead returning the access token immediately in the redirect.
What is not clear to me is: if back in the days browsers didn't allow to make cross-domain requests, once an OAuth2.0 client obtained an Access Token through an Implicit Flow, then what would client do with that Access Token? I mean, if the browser didn't allow a cross-domain request, then how was the Access Token used?
