In the OAuth2 Authorization Code Grant flow (three-legged OAuth), the process follows a specific sequence. After the client application redirects the resource owner (user) to the authorization server, the server first authenticates the user. It then presents a consent form asking the user to grant the client application access to their resources. The question asks for the step immediately following the presentation of this form. Once the resource owner approves the request by submitting the form, the authorization server's next action is to redirect the user's browser back to the client's pre-registered redirection URI. This redirect response contains the authorization code in its query parameters, which the client will then exchange for an access token.

A. The resource owner authenticates with the authorization server before the consent form is presented, not after.

B. The user initiating a request to the client is the very first step that starts the entire OAuth2 flow.

D. This describes the user's action of submitting the form, but the question asks for the next step in the protocol flow, which is the server's response to that submission.

1. IETF RFC 6749

The OAuth 2.0 Authorization Framework: Section 4.1.2

"Authorization Response

" states: "If the resource owner grants access

the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes an authorization code..." This directly confirms that the redirection is the step following the resource owner's grant of access.

2. Cisco DevNet

"Understanding the OAuth 2.0 Authorization Code Grant": In the "How it works" section

Step 3 describes the user's interaction: "The user is prompted to log in to the Authorization Server and approve the request." Step 4

the subsequent step

states: "After the user approves the request

the Authorization Server redirects the user back to the web server. This is done via the redirecturi parameter."