OAuth 2.0 Flows
Authorization Code Flow for Server based Web Application
In the case of a singe page web application, the
client_secret is not sent.
However, the application (the client) cannot impersonate another client by changing
the client_id. This is since the redirect_uri is verified in
the step 5. In the step 8 the user will always be redirected to the URI registered against
This flow is used by devices such as speakers that do not have an interface to allow user login.