Resource Server
Guards the protected resource.
Handles requests from the Client which contain the access token.
Needs to be able to verify the access token to determine how to process the request.
Based on how the access token is minted by the Authorization Server, the Resource Server has different avenues to verify that the access token is legitimate. Some avenues include:
Looking up the access token in a database shared with the Authorization Server
In cases where the access token is a JWT, verifying the signature is correct.
OAuth does not specify the format of the access token, this choice is left to the developer.
Last updated