Why does the Implicit Authorization Grant in OAuth require a “Web-hosted Client Resource”?

Firstly, update your reference of OAuth 2.0 to the latest one.

As we know, in implicit grant, after resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI, and access token is in the fragment.

For example: http://www.myapp.com/googleapi/oauth/#access_token=ya29.JACdaU44_m0MQh0AAABLMVzZHm4KnUWyBECHJ9oM_0M2JC9x0xO6UoI9W8YNEw&token_type=Bearer&expires_in=3600

Since the fragment is not returned to the server (hash fragment is only intended for the client), client-side script must parse the fragment and extract the value of the access_token parameter.

Now, here comes to your questions, of course we can write a function in our client to parse the access token from the fragment and use it directly, it's simple and straightforward. Here is a tutorial using this manner.

But, in the standard, there is Web-Hosted Client Resource. Why? 'Web-Hosted Client Resource' is a client Resource, it may include some html pages and JavaScript, and of course it's web-hosted, rather than in the User-Agent. Since authorization server will hit our web application again at the redirect_uri with access token in fragment, our client-side web application server will respond it(parse the hash fragment).Here is a tutorial using this manner

In a word, the difference between these two manners is where you put the parse function.

1. Put it directly in the client it self, and the function detects if the user-agent hit the redirect URI, and if so, parses the access token from the fragment.

2. Put it in web-hosted client resource(locates in the redirect URI), when the authorization server hit the redirect URI with access token, the function locates the redirect URI parse it.

The second one is standard, for it makes the most of the redirect URI, also you can use the 1st one as well.

As far as I know, I haven't found any security consideration about the 2nd way.