@startuml

box Client side
actor "Resource owner" as Owner
participant "User Agent" as UA
participant Client
end box

box Server side
participant "Authorization Server" as AuthZ
participant "Resource Server" as R
end box

activate Owner
Owner -> UA : Request
activate UA
UA -> Client : Request
activate Client
Client -> Client : リソース使いたいな〜
UA <- Client : Redirect to Authorization Server
deactivate Client

group OAuth Implicit Grant

UA -> AuthZ : GET /oauth/authorize
activate AuthZ
note over AuthZ: ログインしていなければ\nここでform認証を挟むことが多い
UA <- AuthZ : Show approval form
deactivate AuthZ
Owner <- UA : Show approval form　\nClientが〜の許可をリクエストしています \n[許可] [拒否]
deactivate UA

Owner -> UA : 許可！
activate UA
UA -> AuthZ : POST /oauth/approve
activate AuthZ
UA <- AuthZ : access tokenどうぞ\nRedirect to callback \nLocation: /callback?access_token=token123...
deactivate AuthZ
UA -> Client : access tokenどうぞ\nNotify access token \nGET /callback?access_token=token123...
activate Client

end

Client -> R : GET /resource \nAuthorization: Bearer token123...
activate R
Client <- R : リソースどうぞ
deactivate R

Client -> Client : リソースを使っていろいろできるぞ〜

UA <- Client : Response
deactivate Client
Owner <- UA : Response
deactivate UA

@enduml