I'm currently unfamiliar with the OAuth2.0 Authorization Code Flow and I've read many articles about it and currently I still don't know how to properly implement it. So far, what I know about the flow:
- User Logs in using OAuth
- User is redirected to the authorization server for authorization code
- Callback for permission/scope
- Redirected to authorization server for access token in exchange for authorization code
- Redirect back to the client with the access token
- Client uses access token to access resource server.
Right now, what I'm still confused is that where should the login validation come (Login of username - password)? Is it a separate validation before going to OAuth flow and once the user is valid, it should go back to the flow?