As of August 2015, Optimizely Web Experimentation supports both the authorization code and implicit grant types, as described in the OAuth 2.0 spec.
The authorization code grant is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. It's more versatile than the implicit grant and can give an application indefinite access to Optimizely on behalf of a user with a single authorization request. However, it's more complex to implement, and it requires the application to implement server-side code as well as a means of securely storing confidential information, including both a client secret and refresh tokens.
The implicit grant type is optimized for public clients. Such clients will receive a valid access token at their redirection URL immediately after the user authorizes their application. Access tokens expire after two hours.
The implicit grant does not support refresh tokens. Therefore, any application using the implicit grant will need to explicitly re-request authorization from the user when an access token expires.
Updated about 1 year ago