Salesforce can participate in a number of standard OAuth 2.0 flows acting as either the client, or as the authorisation and resource server. The flows in this section are the common general flows which are used for either user or server authorisation and authentication - flows to be applied in specific circumstances can be found in the "Specialised OAuth 2.0 Flows" section. The diagrams are shown in general terms as Salesforce can play the role of client or server. Considerations specific to Salesforce are mentioned in the notes. WEB SERVER FLOW Based on the OAuth Authorisation Code Grant flow Gold standard for security if the client secret can be protected by the client application - generally this is the case when the application is operating in a trusted environment (e.g. an internal enterprise server application) Code challenge is optional and used together with code verifier in the token request to provide PKCE (p...