Long description

The figure consists of two parts. The first part labeled Prior to Authorization is placed at the top of the figure. An image of a person labeled Resource Owner (User) is at the top left. Three rectangles connected one below the other and labeled Client Site forward slash App (Consumer) is placed below the image. Seven rectangles connected one below the other and labeled Authorization Server (O Auth Provider) is placed at the right. An arrow labeled User creates account on O Auth provider points from the image to the top of Authorization Server. An arrow labeled Client registers with provider (and supplies redirect_U R L) points from Client Site forward slash App to Authorization Server. A dashed arrow labeled client underscore i d plus client underscore secret points from Authorization Server to Client Site. The second part labeled Authorization Code Grant Flow is placed at the bottom of the figure. An image labeled User Agent (Browser) is at the top left of the second part. Three rectangles connected one below the other and labeled Client is placed at the right. Seven rectangles connected one below the other and labeled Authorization Server is placed at the bottom right of Client. Three rectangles connected one below the other and labeled Client is placed at the bottom left of Authorization Server. Three rectangles connected one below the other and labeled Resource Server is placed at the bottom right of Client. An arrow labeled 1 Request protected resource points from User Agent to Client. A dashed arrow labeled 2 303 Redirect (to login) points from Client to User Agent. An arrow labeled 3 Request login points from User Agent to Authorization Server. A dashed arrow labeled 4 Provides login form points from Authorization Server to User Agent. An arrow labeled 5 Login (username plus password) points from User Agent to Authorization Server. A dashed arrow labeled 6 Ask for user consent for scopes (e.g., user info, contacts) points from Authorization Server to User Agent. An arrow labeled 7 Provide consent points from User Agent to Authorization Server. A dashed arrow labeled 8 303 Redirect (to redirect_U R L) plus authorization code points from Authorization Server to User Agent. An arrow labeled 9 Request redirect_U R L plus authorization code points from User Agent to Client. An arrow labeled 10 Request token and supply the authorization code plus client_i d plus client_secret points from Client to Authorization Server. A dashed arrow labeled 11 token (J W T) points from Authorization Server to Client. An arrow labeled 12 Request protected resource plus token points from Client to Resource Server. A dashed arrow labeled 13 Protected resource plus token (open angle bracket forward slash close angle bracket) points from Resource Server to User Agent.