1. OAuth 2.0 is an open authorization framework & mainly focuses on authorization flows for web applications, desktop applications, mobile phones. OAuth 2.0 is widely used and secures access to many well-known web APIs including Amazon, Facebook, Google, Microsoft, PayPal, Yahoo & so on..!
1. When client initiates the flow by directing to any API server user's user-agent to the authorization endpoint URI. The client includes its client ID, API key and a redirection URI, to which the authorization server will send the user-agent back once access is granted (or denied). The redirection URI encoded in the authorization URI must match the URI configured when the application (or APP) was registered.
2. API server authenticates the account owner (via the user-agent/browser) and establishes whether the account owner grants or denies the client's access request.
3. When the account owner grants access or not, the API server redirects the user-agent back to the client using the redirection URI provided earlier in the request and during application registration. The redirection URI includes an authorization code as a query parameter named "code" if access was granted and a parameter "error" if it was denied.
4. The client requests an access token from the API server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the API server by providing the API key as a query parameter "api_key" along with fields "client_secret" and "redirect_uri" in a from-encoded (Content-Type: application/x-www-form-urlencoded) POST. This is the only time the client secret is used. The form POST must also include the code obtained as a field "code" and a field "grant_type" set to "authorization_code".
Eg : Code exchange endpoint: <server token endpoint>
5. The API server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step 4. If valid, the authorization server responds back with an access token in the JSON encode response body in value of a key named "access_token".