Exam 350-901 topic 1 question 62 discussion

I would like to correct my previous answer. After studying more, I believe the correct order should be: 1. End-user initiates authentication OAuth client. 2. OAuth client communicates with AS to display login UI. 3. End-user authenticates with the AS. 4. OAuth client receives an authorization code. 5. OAuth client requests access token from AS. 6. OAuth client receives access token from AS. 7. OAuth client requests a resource on the AS.

(A) The client then initiates the OAuth flow by directing the resource owner’s browser to the authorization server’s endpoint. (B) In this step, the resource owner decides whether to grant the requested access to the client application. (C) If the resource owner grants access, the authorization server redirects the user’s browser back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier. (D) The client exchanges the authorization code for the access token by making a POST request to the authorization server’s token (E) The authorization server authenticates the client, validates the authorization code, and checks that the redirection URI matches the one used in step (A). If the request is valid, the authorization server responds with an access token. (F) The client accesses protected resources, using the access token for authentication with the resource server.