Authorization Server
HTTP Server that acts as the central component of an OAuth System.
Trusted by the protected resource to issue special purpose security credentials called access tokens to Clients.
Typically assigns the Client the
client_id
andclient_secret
(if needed)Assignment happens through a developer portal, dynamic client registration, or by other means.
Only the Authorization Server can authenticate users, register clients, and issue tokens.
Required to expose two endpoints:
Authorization Endpoint (serve front-channel interactions)
Token Endpoint (serve back-channel interactions)
See Supporting Terminology for more information about how front-channel and back-channel interactions work.
It's highly recommended that if the Authorization Server is storing access tokens (instead of using a stateless mechanism such as JWT), the access tokens should be hashed.
In the case where the
Authorization Code
grant is being used, the Authorization Server should bind the code to theclient_id
of the Client.This prevents a malicious Client from being able to use the access token.
More commonly known as the Confused Deputy Problem.
Last updated