About
The Authorization Server in Oauth is one of the 4 oauth roles.
It's the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
Implementation
The authorization server may be:
- the same server as the resource server
- or a separate entity.
The interaction between the authorization server and resource server is beyond the scope of the Oauth specification.
The authorization server SHOULD NOT make assumptions about the client type.
The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the resource owner (e.g., username and password login, session cookies, …) is beyond the scope of the Oauth specification.
Endpoint
- /authorize - Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
- /oauth/token - Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
Cache HTTP Headers
When responding with an access token, the server must also include the following cache-control and pragma HTTP headers to ensure clients do not cache this request.
Cache-Control: no-store
Pragma: no-cache
Library / Software
See What are Identity and Access Management Services (IAM)? ie Authentication and Authorization