As we did for Basic Auth, we are going to build a server-side implementation of the OAuth2 protocol. As the Backbone App and Server App are both built by us, the best grant type to choose is Resource Owner Password Credentials Grant.
A difference from Basic Auth is that OAuth2 needs to add an endpoint that is used to issue access and refresh tokens. As described in RFC-6749, the requests made to this endpoint should include the following:
The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded":
grant_type: REQUIRED. Value MUST be set to "password".
username: REQUIRED. The resource owner username.
Password: REQUIRED. The resource owner password.
A valid request will look as shown in the following:
POST /api/oauth/token HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded grant_type=password&username=john&password=doe