Before we start, let's do a quick recap of how the OAuth2 authorization flow actually works for a standard web application:

1. The user asks the web application to login with the external provider X.
2. The web application prompts the user with a pop-up window containing a page directly hosted by the external provider X, from which they can do the following:
   • Login to X to authenticate themselves there, unless they're not logged in there
   • If/when logged in, authorize the web application to use X as the third-party authentication provider, thus giving it access to the minimum amount of required user information (name, email, and so on) to allow that
3. If the user refuses to either log in to X or to give X the authorization, the popup will close and the authentication process will fail; if they accept, X will send back an OAuth2 access token.
4. The web application will immediately consume that OAuth2 access token to fetch the mentioned user information and use them to either create a new account or login with an existing one, depending on whether this information corresponds to an existing user or not.

This is what happens under the hood, regardless of X being Facebook, Google, Twitter, or anything else. That said, such workflow can be implemented in a number of alternative ways, which can be grouped into two significant approaches (or, to better say, grant types):

• Using an implicit flow, often handled by a client-side SDK written in JavaScript and made available by the external provider itself
• Using an explicit flow, with the help of a set of server-side tools, packages, or libraries made available by the chosen development framework (such as ASP.NET Core), third-party packages, or the external provider itself

The explicit flow grant type is also called authorization code flow, because it returns a unique authorization code that must be used to retrieve the OAuth2 access token, preventing the latter from being directly exposed to the user and to applications that might have access to the user's user agent (such as browsers extensions, installed software, and packet sniffers).