OAuth 2 Simplified
If the server supports PKCE, then the authorization server will recognize that this code was generated with a code challenge, and will hash the provided plaintext and confirm that the hashed version corresponds with the hashed string that was sent in the initial authorization request.
Your mobile application should first verify that the state corresponds to the state that was used in the initial request, and can then exchange the authorization code for an access token.
REDIRECT_URI - Indicates the URI to return the user to after authorization is complete, such as fb00000000://authorize scope=email - One or more scope values indicating which parts of the user's account you wish to access state=1234zyx - A random string generated by your application, which you'll verify later For servers that support the PKCE extension (and if you're building a server, you should support the PKCE extension), you'll also include the following parameters.
To use the client credentials grant type, make a POST request like the following: POST
The random secret you generated at the beginning The authorization server will hash the verifier and compare it to the challenge sent in the request, and only issue the access token if they match.Full article
> OAuth 2 Simplified
This post describes OAuth 2.0 in a simplified format to help developers and service providers implement the protocol.aaronparecki.com