For the client application, the user is redirected to the authorization URL through a user agent.
The user logs in.
The user provides consent.
An authorization code is sent.
An access token is requested using the authorization code.
An access token is granted.
Access to protected resources is granted.