I’d like to understand OAuth 2.0 in more detail and especially the authorization code flow. This might be nit-picking but according to RFC6749 the client initiates the flow.
(A) The client initiates the flow by directing the resource owner’s
user-agent to the authorization endpoint.
But isn’t it really the resource owner who initiates the flow by clicking a button like
Connect with service xyz or
Import photos from abc on the client application site when requesting authorization?
I mean it’s this button click that sends out a HTTP GET originating from the resource owners machine/IP, right?
GET https://www.auth-server.com/oauth2/authorize? client_id=18f4ad63-01fa-41ae-b632-092a8f5d340b& redirect_uri=https://www.awesome-printservice.com/callback& scope=openid photos.read response_type=code& response_mode=query& nonce=ugasq9v1bq&