yes! The flow is correct. It is a standard ping-pong of an exchange via OAuth2. As specified in the manual: "The client is redirected to the redirection endpoint, which is specified when creating an application in Management Console, after the interaction with the authorization endpoint is completed. Values added to the redirect_uri:...". -> So you must authenticate.
After correct authentication, you will be redirect to your "https://client.example./cb", with your state parameter, plus code that can be used to get an access token.