First look at the server-side flow
Imagine now that the GoodApp application is no longer a simple HTML/JavaScript web application, but is now a full 3-tier client-server-database application. This client application is now able to securely store confidential information thanks to the server and database layer, and so is a perfect candidate for the authorization code grant workflow.
A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
Remember that a trusted client is able to securely store confidential information, such as client credentials. So, during the registration process (which we will discuss in Chapter 3, Four Easy Steps), trusted clients will be issued credentials to store. Here is what that exchange looks like with a registered, trusted client using the authorization code grant flow, once again, picking up after GoodApp directs you to Facebook for user consent:
Here are the steps performed in the preceding flow chart,...
