The main purpose of this flow is to completely prevent a client application from ever being exposed to the resource owner's credentials. To this end, the token can only be obtained by redirecting the user-agent to the authorization server, who then authenticates the user, and then redirects the user-agent back to the client application with a valid token.
The flow is as follows:
- A resource ...