- Colin: OAuth Client
- Polly: OAuth User (a person)
- Roger: OAuth Resource Server
- Annie: OAuth Authorization Server
P (to C): Hey Colin. I wanna work with you on some of my stuff; can we do that?
C: I'm actually not currently allowed to get at your stuff, but let me talk to Annie about that.
C (to A): Hi, I'm Colin. Here's my Client ID. Can you ask Polly to confirm that I'm allowed access to her stuff and then contact me at this redirect_uri address? Also, can you give her this state token to give to me later?
A (to P): Hi Polly. Colin wants access to your stuff. Is that cool?
P: Sure. Here's my username and password. I'm cool with that
A: Great. Colin wants you to go to this redirect_uri address. Give him these so that he knows what to do next. (hands her a code and a state )
P (to C): Hey Colin! Annie asked me to give you these (hands over the code and state)
C (to A): Hey Annie! It's me again. Here's my Client ID and (whispers) Here's my Client Secret. Also, here's the code that you asked Polly to give me. If that's all cool, can you ask Polly to go to this redirect_uri address, please?
A (to P): Hello again, Polly. Colin wants you to go to this redirect_uri address. Can you give him this (hands her an access_token)? He's going to need that to access your stuff. In case he's wondering, it's a a token of this type ( hands her a token_type).
P (to C): I'm back! You'll need this (gives him access_token). Let's go to that redirect_uri address you gave Annie.
C: Sweet! I'm gonna get some of your stuff now.
C (to R): Hey Roger! Can I have some of Polly's stuff. (whispers) I have this access_token, so it's totally legit.
R (to A): Hey Annie, I've got this guys asking to get this stuff and he gave me this access_token. Is that OK?
A : Yeah, that's fine. Someone with that access_token can have that stuff.
R (to C): Looks good! Here you go (gives him some of Polly's stuff).