Jammy's Cave

In Part 1, I explained the OAuth protocol flow at a high-level. In this part, we will dive in to the most popular authorization grant type: the authorization code grant. Grant Flow The authorization code grant is a redirection-based flow: The client redirects the resource owner’s user agent (hereafter, we’ll just say “browser”) to the authorization server. The authorization server authenticates the user. The authorization server asks the resource owner for consent to give the client access to the protected resources.

Let’s imagine I am working on a calendar app. I know that a lot of my users keep their events in Google Calendar, so I need to make sure that I can retrieve their events from Google, and send back the newly created ones. How does Google know that my app is allowed to access a user’s calendar? As a user, when I go to https://calendar.google.com I’m asked to provide the username and password for my Google Account.