The following diagram explains the oauth processes:



A. Consumer requests a request token.
B. Service Provider grants requst token.

A & B: an application requests access and gets an unauthorized request token from the service provider sucha as facebook, google, etc.

C. Consumer directs user to service provider.
D. Service provider directs user to consumer.

C & D: the service provider asks the user to grant the application access to the required data. Normally, the service provider displays a login web interface to authenticate the user and asks the user if it is ok for the application to access the user's data.

E. Consumer requests access token.
F. Service provider grants access token.

E & F: The application requests an access token with the request token and gets an authorized access token from the service provider.

G. Consumer acesses protected resources.

G: The application can access the user's data on behalf of the user.


Note that a request token lasts for short time, normally 1 hour, whereas an access token can live longer and can be reused. Hence the application should save the access token in the secure place.