I’m afraid, but authorization via implicit code flow doesn’t work. The script in your example doesn’t work either. I’m still getting redirected and am not able to get the token, because on my local machine is nothing listening on a port (so redirect fails) and the script is not able to access the window’s location hash (due to cross origin policy).