Authorization code flow is optimized for confidential clients, but it can be used for public clients as well. It is used to obtain access tokens and refresh tokens:

1. The process starts when the client (for example, the MVC app) redirects the user agent (browser) to the authorization server.
2. The client passes its client credentials (client ID and secret), scope, state, and redirection URI to the authorization server.
3. If the client is authorized, the authorization server will ask the resource owner to enter the resource owner credentials.
4. The authorization server takes the resource owner credentials and authenticates it.
5. If the resource owner is authenticated, the authorization server asks to either grant or deny permissions access to the client.
6. If the resource owner grants the permission to the client, the authorization server redirects the user back to the client through the redirection URI provided earlier.
7. The user agent then passes the authorization code followed with the redirection URI to retrieve the access token.
8. If the authorization server verifies the authorization code, it will return the access token to the redirection URI provided earlier.
9. This access token can be used by the application to authorize users on every subsequent request.

With this type of flow, access tokens are not known by the user agent and are only used by the client application. The user agent passes the authorization code to the client and the client uses the access token to access the resource server.