implicit_flow

Danger : use of implicit flow

https://oauth.net/2/grant-types/implicit/

The access_token is returned directly in redirect_uri, without an extra authorization code exchange step.

Now not recommended for use. https://tools.ietf.org/id/draft-ietf-oauth-security-topics-12.html#rfc.section.3.1.2

An URI must not contain any session data such as access_token.

It could be leaked with logs, browser history etc...

https://tools.ietf.org/id/draft-ietf-oauth-security-topics-12.html#browser_history

Recommendation

Never use implicit flow, use authorization_code flow instead. https://tools.ietf.org/html/rfc6749#section-1.3.1