The OAuth protocol uses a process known as handshake to facilitate its authentication flow. Basically, you request access, the server verifies the user's identity, the user grants access, and the server allows you to make requests. The real flow is more like this:
Fake step 1:
Redirect user to the authentication provider's request URI endpoint along with parameters of your request, including scope and redirect URI (where the response should be sent)
User logs in and grants access to your app after reviewing the permissions you have requested
Server verifies the user's identity and provides a request token to the redirect endpoint you specified
Fake step 2:
You take the request token from the response and pass it back to the server, this time to the authentication endpoint
The server exchanges this for an access token and a refresh token
Fake step 3:
You make your requests with the access token