The implicit flow is intended for use by client-side applications (where the client secret can't be exposed). It requires user interaction. Refresh tokens cannot be used with implicit flow. The URL the user is redirected to after authorization must be stored (and validated by) the OAuth provider.