In oAuth 2 if I get access token on client side using "implicit" grant, can I use this token on server side (like if I got this token using "authorization code" grant)?
I have a website that shows list of files from some websites (google drive, dropbox, instagram) This website gets access token on client side like here (Using the implicit grant). It works fine. But now I want to do some request on server side. Can I use old token or I should get new token using "authorization code" grant?
I think that you can use the old Token, but you shouldn't. Some notes: Server-to-server authentication Client Credentials grant flow should be used. Server(s) can't even extract the Access Token from the #URL fragment on Implicit Grant because it is redirecting it (302). Note that Implicit Grant doesn't have refresh token but Client Credentials have so the Access Token is refreshable through Client Credentials grant flow. And if you give the Access Token to someone else(Server in this case) to use it is same thing that you give your username and password to somebody.
