This shares similar principles to the Implicit flow, as both are meant to prevent a client application from ever being exposed to the resource owner's credentials. However, in this flow, a client application stores a client secret in order to later obtain a token.
In this flow, the client application exchanges its client ID, secret, and a code with the authorization server in order to obtain the access token. This is ideal for server-side web applications where a client secret can be securely stored.
The flow would be as follows:
- A resource ...