- A client requests access to a provider’s service using its own unique client ID and secret token.
- The user logs into the service directly (using a web page on the provider’s server) and grants the client permission to access.
- The provider redirects the user to a URL unique to the client passing along a verification code in the query string.
- The client verifies the authorization request and uses the verification code from step 3 to obtain an access token.
- The client may periodically refresh the access token when it expires.
Source: OAuth2 for iPhone and iPad applications