In OAuth 2.0, the Security Token Service (STS) or colloquially, the server that issues tokens.

The Authorization Server is the server authorizing the OAuth Client to access the data on the Resource Server on behalf of Resource Owner.

Typically the Authorization Server would also be an Identity Provider (IDP) though there is no reason that they could not be separate servers.

Policy Administration Point#

Typically we can think of the Authorization Server as the Policy Information Point where the the policy is defined and subsequently stored. The Resource Server is the Policy Enforcement Point where the policiy is enforced.


Authorization Server typically has the following components:

The Authorization Server and the Resource Server could be the same server, but it doesn't have to. The OAuth 2.0 specification does not provide an Authentication protocol for the Resource Owner. It strongly suggests that OAuth Client applications should use Authorization Header for accessing the Token_endpoint, but it says nothing about the Authentication of Resource Owner when their approval is needed for a Delegation (only that they must be Authenticated). This allows Authentication completely orthogonal to the approval process, and Authorization Server are free to implement the Authentication any way they choose.

The User Managed Access standardizes their communication and this is really critical because as use cases for potentially putting them in different domains run by different companies.

Typical Implementation#

In a typical Implementation the Authorization Server acts both as the Policy Decision Point and also as the Policy Enforcement Point that protects the OAuth 2.0 Authorization Endpoint.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-15) was last changed on 24-Dec-2015 01:26 by jim