Oauth 2 Request Flow
Authorization Code Flow :
An authorization grant using an authorization code works like this (the numbers correspond to the steps shown in the diagram below the description):
1) The resource owner (user) accesses the client application.
2) The client application tells the user to login to the client application via an authorization server (e.g. Facebook, Twitter, Google etc.).
3) To login via the authorizaion server, the user is redirected to the authorization server by the client application. The client application sends its client ID along to the authorization server, so the authorization server knows which application is trying to access the protected resources.
4) The user logs in via the authorization server. After successful login the user is asked if she wants to grant access to her resources to the client application. If the user accepts, the user is redirected back to the client application.
5) When redirected back to the client application, the authorization server sends the user to a specific redirect URI, which the client application has registered with the authorization server ahead of time. Along with the redirection, the authorization server sends an authorization code, representing the authorization.
6) When the redirect URI in the client application is accessed, the client application connects directly to the authorization server. The client application sends the authorization code along with its own client ID and and client secret.
7) If the authorization server can accept these values, the authorization server sends back an access token.
10) The client application can now use the access token to request resources from the resource server. The access token serves as both authentication of the client, resource owner (user) and authorization to access the resources.
Here is a diagram illustrating the authorization process when using authorization code to authorize a client application:
