OAuth 2 has 4 different roles in this process.

Resource Owner

Client

Authorization Server

Resource Server

Resource Owner: Resource owner is the user, who authorizes an application to access their account.

Client: Client is the application, which is used by the user to get resources from the resource server.

Authorization Server: Authorization server will issue access tokens by authenticating the user and obtain authorization grant.

Authorization server issues two type of tokens, access_token and referesh_token.

The responsibility of access token is to access resource before it gets expired.

The responsibility of Refresh Token is to request for a new access token when the access token is expired. An authorization grant is a credential representing the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token.

The specification defines 4 grant types:

Authorization code

Implicit

Resource owner password credentials

Client credentials

Generally, we will use implicit grant flow If the Client is a Single Page Application (meaning an application running in a browser using a scripting language such as Javascript). Please refer the following link to decide which grant type is suitable for your case. In this article, we are using implicit grant type and password grant type.