node.js - OAuth 2.0 Flow how it works node-oauth2-server -

while implementing oauth server in nodejs https://github.com/thomseddon/node-oauth2-server

i'm trying understand flow of oauth 2.0

somehow i'm successful npm package implementation, doubt, going wrong.

i'll explain how i'm successful.

1st request:

post: http://localhost:3000/oauth/token grant_type=password client_id=1011 client_secret=somesecret username=admin password=admin 

1st response:

{ token_type: "bearer" access_token: "7f5261011fb0f84a4e193889fff4b7478f2a4cb2" expires_in: 3600 refresh_token: "da83de41966979ced65b3841e1758335a811c0c2" } 

after getting access token, i'm sending http call

2nd request:

get http://localhost:3000/secret authorization: bearer 7f5261011fb0f84a4e193889fff4b7478f2a4cb2 

2nd response:

{"data":"secret area accessible"} 

but here i'm confused about

question 1. authorization_code part missing

question 2. in first call need send client_secret , user_password - if sending both means oauth client exposing secret user(browser) or user providing password oauth client.

please share me if request/response pattern of whole oauth 2.0 below

a. browser -> oauth server post /oauth/authorize?client_id,username,password b. user grants permission c. browser -> oauth server response auth_code d. browser -> oauth client post auth_code e. oauth_client -> oauth server post auth_code e. oauth server -> oauth_client  response access_token f. oauth_client  -> resource_server post /resource?access_token (question 3. here how resource server validates access token valid or not ) 

oauth 2.0 defines several ways of obtaining access token through so-called "grants". requests show you're using resource owner password credentials grant, see: https://tools.ietf.org/html/rfc6749#section-1.3.3. grant indeed exposing username/password client why defeats of purpose of oauth 2.0 , migration purposes only, see: https://tools.ietf.org/html/rfc6749#section-10.7

the authorization code grant separate grant type user redirected browser authorization endpoint client stays out of user authentication process. seem refer in flow described in a.-f. since different grant type, won't see "authorization code" part of resource owner password credentials grant.

in correct authorization code grant flow, a. redirect instead of post in: a. browser -> oauth server redirect /oauth/authorize?client_id,response_type=code