The interaction between the authorization server and resource server is beyond the scope of the Oauth specification.
The authorization server SHOULD NOT make assumptions about the client type.
The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies, …) is beyond the scope of the Oauth specification.
/authorize - Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.