Authorization Server

• HTTP Server that acts as the central component of an OAuth System.

  • Trusted by the protected resource to issue special purpose security credentials called access tokens to Clients.

• Typically assigns the Client the client_id and client_secret (if needed)

  • Assignment happens through a developer portal, dynamic client registration, or by other means.

• Only the Authorization Server can authenticate users, register clients, and issue tokens.

• Required to expose two endpoints:

  • Authorization Endpoint (serve front-channel interactions)

  • Token Endpoint (serve back-channel interactions)

    • See Supporting Terminology for more information about how front-channel and back-channel interactions work.

• It's highly recommended that if the Authorization Server is storing access tokens (instead of using a stateless mechanism such as JWT), the access tokens should be hashed.

• In the case where the Authorization Code grant is being used, the Authorization Server should bind the code to the client_id of the Client.

  • This prevents a malicious Client from being able to use the access token.

    • More commonly known as the Confused Deputy Problem.