I know two main ways of using OAuth2 password-based client grant (2-leg oauth flow: on the project I worked on, the OAuth client was not third party server, but instead, it was the front-end.) authorization code based grant (3-legs oauth flow) What is “the client”? The RFC 6749 that presents OAuth2 is very readable, but some terms like “client” or “code” are confusing. What I found is that trying to understand “why” the main flow (3-legged oauth, or “authorization code flow...
