Authorization Server


Authorization Server (AS) is an Actor within OAuth 2.0 and OpenID Connect which typically provides the Security Token Service (STS) or colloquially, the server that issues tokens.

Authorization Server is the Application for issuing the OAuth Client tokens which allows access to the data on the Resource Server on behalf of Resource Owner.

Typically the Authorization Server could also be an Identity Provider (IDP) though there is no reason that they could not be separate servers.

Policy Administration Point#

Typically we can think of the Authorization Server as the Policy Information Point where the the policy is defined and subsequently stored. The Resource Server is the Policy Enforcement Point where the policiy is enforced.


Authorization Server typically has the following components:

The Authorization Server and the Resource Server could be the same server, but it doesn't have to. The OAuth 2.0 specification does not provide an Authentication protocol for the Resource Owner. It strongly suggests that OAuth Client applications should use Authorization Header for accessing the Token_endpoint, but it says nothing about the Authentication of Resource Owner when their approval is needed for a Delegation (only that they must be Authenticated). This allows Authentication completely orthogonal to the approval process, and Authorization Server are free to implement the Authentication any way they choose.

The User Managed Access standardizes their communication and this is really critical because as use cases for potentially putting them in different domains run by different companies.

Authorization Server has a Authorization Server Operator that is in User-Managed Access (UMA) Legal Person that operates the Authorization Server.

Typical Implementation#

In a typical Implementation the Authorization Server acts both as the Policy Decision Point and also as the Policy Enforcement Point that protects the OAuth 2.0 Authorization Endpoint.

More Information#

There might be more information for this subject on one of the following: