What is an Authorization Server in Oauth?

About

The Authorization Server in Oauth is one of the 4 oauth roles.

It's the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

Implementation

The authorization server may be:

• the same server as the resource server
• or a separate entity.

The interaction between the authorization server and resource server is beyond the scope of the Oauth specification.

The authorization server SHOULD NOT make assumptions about the client type.

The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies, …) is beyond the scope of the Oauth specification.

Endpoint

• /authorize - Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
• /oauth/token - Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.

Cache HTTP Headers

When responding with an access token, the server must also include the following cache-control and pragma HTTP headers to ensure clients do not cache this request.

Cache-Control: no-store
Pragma: no-cache

Library / Software

See What are Identity and Access Management Services (IAM)? ie Authentication and Authorization