As the name suggests, here, the client's credentials are used instead of the user's (the resource owner's). Apart from client credentials, it is very similar to the resource owner password credentials grant flow:
- The client application (for example, Quora) sends the access token request to the resource server (for example, Facebook or Twitter) with the grant type and scope. The client ID and secrets are added to the authorization header. On successful validation, the resource server sends the access token.
- The OAuth client requests the user's (the resource owner's) resources (for example, a Twitter profile photo) from the resource server and sends the access token received in the previous step.
- The resource server ...