I'm working on an OAuth2 client for the implicit flow, and am implementing an IFrame-based refresh (since there are no refresh tokens in implicit flow).
What I'm stuck on is trying to figure out the "standard" for passing the access token back to the server. Do I pass back via an access_token query string parameter, or do I have to somehow set the Authorization header when setting the IFrame source (which seems kind of tough)?
Here is what I was told... the authorization server stores a cookie (under its own domain), after the user authenticates for the initial authorization request. The cookie precludes re-authentication on subsequent calls from the hidden IFrame, so there is no need to pass anything from the client as a query string parameter, header, etc.