The client (webapp/native/spa) must be highly trusted by resouce owner, as it directly handles resouce owner's credentials. Typically this flow is used to build a client for your own service. In other words the client needs to be first party trusted app.
- The client prompts user to enter their credentials (username/password ).
- The client sends the credentials to the authorization server's token end point.
- The authorization server validates the information.
- Then authorization server returns an access token (optionally a refresh token)
- The client uses the access token to access resources on the resource server.
Sequence Diagram
