Before we start, let's do a quick recap of how the OAuth2 authorization flow actually works for a standard web application:
- The user asks the web application to login with the external provider X.
- The web application prompts the user with a pop-up window containing a page directly hosted by the external provider X, from which they can do the following:
- Login to X to authenticate themselves there, unless they're not logged in there
- If/when logged in, authorize the web application to use X as the third-party authentication provider, thus giving it access to the minimum amount of required user information (name, email, and so on) to allow that
- If the user refuses to either log in to X or to give X the authorization, ...