Resource Server

  • Guards the protected resource.

  • Handles requests from the Client which contain the access token.

  • Needs to be able to verify the access token to determine how to process the request.

  • Based on how the access token is minted by the Authorization Server, the Resource Server has different avenues to verify that the access token is legitimate. Some avenues include:

    • Looking up the access token in a database shared with the Authorization Server

    • In cases where the access token is a JWT, verifying the signature is correct.

      • OAuth does not specify the format of the access token, this choice is left to the developer.

PreviousAuthorization ServerNextGrant Types

Last updated