This is an extension of the authorization code flow, as shown previously in the OAuth 2.0 section. It is commonly used with web applications and native mobile applications. In this flow, the request is made to the OP (OpenID provider) to authenticate users and user consent, and client request the Identity token from the backend channel. With this type of flow, tokens are not exposed to the browser.