A closer look at the authorization code grant flow
Our server-side application would like to view the profile and feed data of the user who is using the application. In order to do this, WMIIG must first get authorization from the user by sending them to the service provider's authorization endpoint, passing along with it various properties describing the request. This step is nearly identical to how we did it for the implicit grant flow, with one important difference which we will get to shortly.
Here, the user is presented with the user consent screen, where they have the option of either accepting or denying the request. Once the user either accepts or denies, the response is sent back to WMIIG via the redirection endpoint. If the user accepts, the response will contain an authorization code, which can then be exchanged for an access token. Otherwise, an appropriate error message will be returned instead. This is represented by steps 4-6 in the preceding workflow. Let's examine these steps...
