Client applications hosted on a secure server use Authorization Code Grant. Client applications use this grant to obtain both Access tokens and Refresh tokens. This grant ensures that both types of tokens remain with the client web application (the server side) and the authorization server does not send these to the browser. Only the authorization code is visible to the browser.
The client application redirects the resource owner to the authorization server through the web browser. The resource owner authenticates at the authorization server. The authorization server obtains resource owner’s consent and then redirects the web browser with the authorization code to the client application.
This flow is suitable for client applications who can interact with the resource owner’s user-agent and can receive incoming requests from the authorization server.