as we know Oauth2 authorize(not authenticate) an end user's account(resource owner) to be used by third-party services
generally there are 2 types access_token generating scheme
- authorization_code grant
- implicit grant flow
this flow allow other applications to use my user's resource.
- generally this application redirect to my server like login.myapp.com for login
- once user logged in i will show user a page that "would you like to authorize application X" with some permission
- as soon as user clicks on authorize i will send authorization_code (not access_token) to the application's endpoint
- once application get the authorization_code it will fetch the user's access_token through server by hitting
- after that application can retrive user's(resource owner) information on their behalf
so the above flow is mainly designed for allowing other application to get the user(resource owner) token