Relevant section in docs: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.1
Initially it says:
The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server (via its user-agent as defined in [RFC2616]), which in turn directs the resource owner back to the client with the authorization code.
The bolded part makes me think that the Auth code is given to the Resource Owner, which then gives it to the Client. Like so:
However, it later says:
The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.
This makes me think that the auth code is being sent directly to the Client, rather than passing through the Resource Owner. Like so:
Which of the two is it? And if it's the latter, then what is the response that the Resource Owner gets?