• A client requests access to a provider’s service using its own unique client ID and secret token.
• The user logs into the service directly (using a web page on the provider’s server) and grants the client permission to access.
• The provider redirects the user to a URL unique to the client passing along a verification code in the query string.
• The client verifies the authorization request and uses the verification code from step 3 to obtain an access token.
• The client may periodically refresh the access token when it expires.

Source: OAuth2 for iPhone and iPad applications