Exam 350-901 topic 1 question 68 discussion

D seems correct: https://www.ibm.com/docs/en/datapower-gateways/10.0.1?topic=flows-three-legged-oauth-flow

A - This happens earlier in the flow, before authz server presents form to grant access. B - Definitely not C - Happens later in the flow. D - Correct answer. Kudos to Johnno26 for the link which has every step word for word!

Option D is a obious result, the owner will submit something, but the questions says what happen after, so after the owner respond the AuthServer will redirect to the client sending the authorization code

A user, as the resource owner, initiates a request to the OAuth client. The OAuth client sends the resource owner a redirection to the authorization server. The resource owner authenticates and optionally authorizes with the authorization server. The authorization server presents a form to the resource owner to grant access. The resource owner submits the form to allow or to deny access. Based on the response from the resource owner, the following processing occurs: If the resource owner allows access, the authorization server sends the OAuth client a redirection with the authorization grant code or the access token. If the resource owner denies access, the request is redirected to the OAuth client but no grant is provided.

The resource owner makes a decision to grant or deny access to the application (OAuth client)

The other options are incorrect. Option A is incorrect because the resource owner does not authenticate with the authorization server in this step. Option B is incorrect because the user who owns the resource does not initiate a request to the OAuth client in this step. Option D is incorrect because the owner of the resource does not submit a form to allow or restrict access in this step.

Option D is incorrect because it mentions a form being submitted by the owner of the resource to allow or restrict access. While the resource owner may provide consent through a form, the submission of the form is not the next step after the authorization server presents the form. The next step is the resource owner authenticating and optionally authorizing with the authorization server.

Answer = D https://www.ibm.com/docs/en/datapower-gateways/10.0.1?topic=flows-three-legged-oauth-flow

D is correct 1. A user, as the resource owner, initiates a request to the OAuth client. 2. The OAuth client sends the resource owner a redirection to the authorization server. 3. The resource owner authenticates and optionally authorizes with the authorization server. 4. The authorization server presents a form to the resource owner to grant access. 5. The resource owner submits the form to allow or to deny access. 6. Based on the response from the resource owner, the following processing occurs: A) If the resource owner allows access, the authorization server sends the OAuth client a redirection with the authorization grant code or the access token. B) If the resource owner denies access, the request is redirected to the OAuth client but no grant is provided.

Maybe C is correct "If the resource owner grants access, the authorization server redirects the user's browser back to the client using the redirection URI provided earlier (in the request or during client (registration). The redirection URI includes an authorization code and any local state provided by the client earlier" "Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client (registration). The redirection URI includes an authorization code and any local state provided by the client earlier."