fbatista/gist:971221

## gistfile1.txt
+----------+
|          |
|   User   |
|          |
+----------+
     ^
     |
    (B)
+----+------+          Client Identifier      +---------------+
|           +----(A)--- & Redirect URI ------>|               |
|           |                                 |     Oauth2    |
| Browser   +----(B)-- User authenticates --->|    Provider   |
|           |                                 |   (web app)   |
|           |<---(C)-- Authorization Code ----+               |
+------+----+                                 +---------+-----+
  ^    |                                         ^      |
  |   (C)                                        |      |
 (A)   |                                         |      |
  |    v                                         |      |
+-+----------+                                   |      |
|            +----(D)-- Client Credentials, -----'      |
|  Oauth2    |          Authorization Code,             |
| Consumer   |            & Redirect URI                |
|(mobile app)|                                          |
|            |<---(E)----- Access Token ----------------'
+------------+       (w/ Optional Refresh Token)


                Figure 3: Authorization Code Flow

   The flow illustrated in Figure 3 includes the following steps:

   (A)  The client initiates the flow by directing the resource owner's
        user-agent to the authorization endpoint.  The client includes
        its client identifier, requested scope, local state, and a
        redirection URI to which the authorization server will send the
        user-agent back once access is granted (or denied).
   (B)  The authorization server authenticates the resource owner (via
        the user-agent) and establishes whether the resource owner
        grants or denies the client's access request.
   (C)  Assuming the resource owner grants access, the authorization
        server redirects the user-agent back to the client using the
        redirection URI provided earlier.  The redirection URI includes
        an authorization code and any local state provided by the client
        earlier.
   (D)  The client requests an access token from the authorization
        server's token endpoint by authenticating using its client
        credentials, and includes the authorization code received in the
        previous step.  The client includes the redirection URI used to
        obtain the authorization code for verification.
   (E)  The authorization server validates the client credentials, the
        authorization code, and ensures the redirection URI received
        matches the URI used to redirect the client in step (C).  If
        valid, responds back with an access token.
	+----------+
	\| \|
	\| User \|
	\| \|
	+----------+
	^
	\|
	(B)
	+----+------+ Client Identifier +---------------+
	\| +----(A)--- & Redirect URI ------>\| \|
	\| \| \| Oauth2 \|
	\| Browser +----(B)-- User authenticates --->\| Provider \|
	\| \| \| (web app) \|
	\| \|<---(C)-- Authorization Code ----+ \|
	+------+----+ +---------+-----+
	^ \| ^ \|
	\| (C) \| \|
	(A) \| \| \|
	\| v \| \|
	+-+----------+ \| \|
	\| +----(D)-- Client Credentials, -----' \|
	\| Oauth2 \| Authorization Code, \|
	\| Consumer \| & Redirect URI \|
	\|(mobile app)\| \|
	\| \|<---(E)----- Access Token ----------------'
	+------------+ (w/ Optional Refresh Token)


	Figure 3: Authorization Code Flow

	The flow illustrated in Figure 3 includes the following steps:

	(A) The client initiates the flow by directing the resource owner's
	user-agent to the authorization endpoint. The client includes
	its client identifier, requested scope, local state, and a
	redirection URI to which the authorization server will send the
	user-agent back once access is granted (or denied).
	(B) The authorization server authenticates the resource owner (via
	the user-agent) and establishes whether the resource owner
	grants or denies the client's access request.
	(C) Assuming the resource owner grants access, the authorization
	server redirects the user-agent back to the client using the
	redirection URI provided earlier. The redirection URI includes
	an authorization code and any local state provided by the client
	earlier.
	(D) The client requests an access token from the authorization
	server's token endpoint by authenticating using its client
	credentials, and includes the authorization code received in the
	previous step. The client includes the redirection URI used to
	obtain the authorization code for verification.
	(E) The authorization server validates the client credentials, the
	authorization code, and ensures the redirection URI received
	matches the URI used to redirect the client in step (C). If
	valid, responds back with an access token.