What is Authorization Code Grant?

This is the most common auth grant. You see this everyday when you log in to Facebook or Google. The difference of this auth grant is it is user initiated via the user-agent/browser. The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server (via its user- agent as defined in which in turn directs the resource owner back to the client with the authorization code. Before directing the resource owner back to the client with the authorization code, the authorization server authenticates the resource owner and obtains authorization. Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client.

Go to Atlassian Docs RFC-6749

OAuth 2.0 participants:

Resource Owner/End-user - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end- user.

Client - An application making protected resource requests on behalf of the resource owner and with its authorization.

Resource Server - The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth v2 s1.1

If this is your first time authorizing this consumer, clicking on 'Authorize' will redirect you to a permission screen

These are the consumers you created from Bitbucket Settings