1.A user want to login on your application
Modern applications often require users to login to see certain pages or perform specific actions. In a modern OAuth/OpenID Connect scenario, the user is often redirected to a the authorization server.
When the users clicks the login button, we are going to initiate the redirect, and request an Authorization Code.
For this example we're using the Authorization Code Grant. Depending on your type of application this might not be the right choice. How to leverage DPoP to demonstrate proof of possession will remain the same for all OAuth flows.