Overview#
Authorization Server (AS) is an Actor within OAuth 2.0 and OpenID Connect which typically provides the Security Token Service (STS) or colloquially, the server that issues tokens.Authorization Server is the Application for issuing the OAuth Client tokens which allows access to the data on the Resource Server on behalf of Resource Owner.
Typically the Authorization Server could also be an Identity Provider (IDP) though there is no reason that they could not be separate servers.
Policy Administration Point#
Typically we can think of the Authorization Server as the Policy Information Point where the the policy is defined and subsequently stored. The Resource Server is the Policy Enforcement Point where the policiy is enforced.Components#
Authorization Server typically has the following components:- An Authorization_endpoint component - typically a login page presented to the Resource Owner backed by an Identity Provider (IDP)
- where Consent component - For obtaining consent from the Resource Owner for Delegation of the Protected Resource to the OAuth Client
- A Security Token Service (Token_endpoint) component for managing Tokens
- Openid-configuration Endpoint introduced by OpenID Connect
The Authorization Server and the Resource Server could be the same server, but it doesn't have to. The OAuth 2.0 specification does not provide an Authentication protocol for the Resource Owner. It strongly suggests that OAuth Client applications should use Authorization Header for accessing the Token_endpoint, but it says nothing about the Authentication of Resource Owner when their approval is needed for a Delegation (only that they must be Authenticated). This allows Authentication completely orthogonal to the approval process, and Authorization Server are free to implement the Authentication any way they choose.
The User Managed Access standardizes their communication and this is really critical because as use cases for potentially putting them in different domains run by different companies.
Authorization Server has a Authorization Server Operator that is in User-Managed Access (UMA) Legal Person that operates the Authorization Server.
Typical Implementation#
In a typical Implementation the Authorization Server acts both as the Policy Decision Point and also as the Policy Enforcement Point that protects the OAuth 2.0 Authorization Endpoint.More Information#
There might be more information for this subject on one of the following:- ACDC Grant type
- API-Gateway
- Abstract Protocol Flow
- Access Token
- Access Token Request
- Access Token Response
- Access Token Validation
- Access_denied
- Account_selection_required
- Acr_values
- Amr_values
- App2app
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- Auth 2.0 Resource Set Registration
- Authentication Context Class
- Authentication Context Class Reference
- Authentication Request
- Authorization API
- Authorization API Endpoint
- Authorization Code
- Authorization Code Flow
- Authorization Cross Domain Code 1.0
- Authorization Grant
- Authorization Request
- Authorization Request Parameters
- Authorization Response
- Authorization Server Authentication of the End-User
- Authorization Server Operator
- Authorization Server Request End-User Consent-Authorization
- Authorization_endpoint
- Back-channel Communication
- Claim_token
- Claimed Https Scheme URI Redirection
- Client Credentials Grant
- Client Secret
- Client_assertion_type
- Client_id
- Code_challenge_method
- Consent Mechanism
- Consent_required
- Cool Identity Token Uses
- Covert Redirect Vulnerability
- Creating an OAuth 2.0 Client Application
- Custom URI scheme
- Delegation vs Impersonation
- Display Parameter
- Encoding claims in the OAuth 2 state parameter using a JWT
- Expires_in
- External User-Agent
- FAPI Pushed Request Object
- Federated Authorization for UMA 2.0
- Forbidden
- Form Post Response Mode
- Grant Types
- Hybrid Flow
- Id_token_hint
- Identity Token
- Implicit Grant
- Implicit Scopes
- Include_granted_scopes
- Interaction_required
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
- Login_hint
- Login_hint_token
- Login_required
- Loopback Interface Redirection
- Macaroons
- Malicious Endpoint
- Mod_auth_openidc
- Mutual TLS Profiles for OAuth Clients
- Mutual TLS Sender Constrained Resources Access
- OAuth 2.0
- OAuth 2.0 Actors
- OAuth 2.0 Audience Information
- OAuth 2.0 Authorization Server Metadata
- OAuth 2.0 Client Registration
- OAuth 2.0 Client Types
- OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer
- OAuth 2.0 Device Profile
- OAuth 2.0 Dynamic Client Registration Management Protocol
- OAuth 2.0 Dynamic Client Registration Protocol
- OAuth 2.0 Endpoints
- OAuth 2.0 Incremental Authorization
- OAuth 2.0 JWT Secured Authorization Request
- OAuth 2.0 Message Authentication Code (MAC) Tokens
- OAuth 2.0 Mix-Up Attack
- OAuth 2.0 Multiple Response Type Encoding Practices
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
- OAuth 2.0 Protocol Flows
- OAuth 2.0 Security Best Current Practice
- OAuth 2.0 Security-Closing Open Redirectors in OAuth
- OAuth 2.0 Token Exchange
- OAuth 2.0 Token Exchange Request
- OAuth 2.0 Token Introspection
- OAuth 2.0 Token Revocation
- OAuth 2.0 Tokens
- OAuth 2.0 Use Cases
- OAuth 2.0 Vulnerabilities
- OAuth 2.0 for Native Apps
- OAuth Client
- OAuth Confidential Client
- OAuth Error
- OAuth Parameters Registry
- OAuth Scope Example
- OAuth Scope Validation
- OAuth Scopes
- OAuth Token Profile
- OAuth Token Response
- OAuth and OIDC Adoption
- Offline_access
- OpenID Connect
- OpenID Connect Authentication Response
- OpenID Connect Authorization Flow
- OpenID Connect Claims
- OpenID Connect Client Initiated Backchannel Authentication Flow
- OpenID Connect Federation
- OpenID Connect Provider
- OpenID Connect Scopes
- OpenIG
- Openid scope
- OxAuth
- Permission Ticket
- Permission ticket
- Permission_registration_endpoint
- Persisted Claims Token
- Ping Identity
- Private-Use URI Scheme Redirection
- Privileged Scope
- Prompt Parameter
- Proof Key for Code Exchange by OAuth Public Clients
- Protection API
- Protection API Token
- REST Profile of XACML
- Redirect_uri
- Refresh Token
- Refresh Token Grant
- Registration_endpoint
- Requested_token_type
- Requested_token_use
- Requesting Party Token Endpoint
- Resource Owner Password Credentials Grant
- Resource Parameter
- Resource_set_registration_endpoint
- Response Type
- Response_mode
- Response_type
- Revocation Request
- Salesforce
- Scopes vs Claims
- Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
- Security Token Service
- Select_account
- Server_error
- Temporarily_unavailable
- Token Introspection Endpoint
- Token Service Provider
- Token Storage
- Token_endpoint
- Token_type_hint
- UMA 2.0 Grant for OAuth 2.0 Authorization
- Uma-configuration
- Unsupported_token_type
- Upgraded
- User-Managed Access
- Want_composite
- Web Blog_blogentry_101017_1
- Web Blog_blogentry_140615_1
- Web Blog_blogentry_231215_1
- Web Blog_blogentry_240815_1
- Web Blog_blogentry_260715_1
- Web Blog_blogentry_300717_1
- Web Blog_blogentry_310715_1
- Why Access Tokens
