Getting into the flow

Now that we've seen what an access token looks like, let's look at how we create them.

Most sites implement a web flow like the one illustrated in this ASCII sequence diagram on the right. Let's walk through through the flow for a simple use case.

A) Site #1 sends a user to Site #2 to authorize access.
B) Once the user is logged in and agrees to allow access, they're sent back to Site #1 with some extra info.
C) Site #1 passes this extra info back to Site #2 to ask for an access token
D) Site #2 validates the info and sends back an access token which Site #1 stores for future use.
E) Site #1 passes the access token back to Site #2 when it requests any resources.
F) Site #2 validates the token and responds with the requested resource.

You can mentally divide the diagram into two parts. Steps A-D are used to get an access token and are generally done one time for a user. Steps E-F are repeated every time the third party requests a resource from the API.

Don't get intimidated by all the arrows. We're just taking a look a the big picture before we dive into OAuth access tokens.


Once you've got a handle on the diagram, let's move on to the next section.