The Authorization Code Grant Type:

验证并请求code

code 来了，state验证这个请求就是我发的没错

type走得是authorization_code flow, code也是之前拿到的code,能把token拿来了嘛？

如果不使用basic authentication那么带上client id和client secret

Basic Authentication & OAuth:

得了，确认无误，token发放

Implicit Grant Type

没后端得spa用的，认证完毕token直接丢url里面给你自己拿

Too many security concerns

Client credential flow

The Resource Owner Password Credentials (ROPC) Grant Type

解决历史问题，不用了

Refresh Token

client credential为什么不用？不需要，直接请求access token就行了

直接放入query string或hash fragment安全性不高，还是用form post

Error Types:

Dealing with Native apps

Proof Key for Code Exchange(PKCE)

Links the authorization request to the token request

Open ID connection

API-to-API Delegation

Token exchange

ok