OAuth 2.0 role

Role

OAuth 2.0 defines the following roles for users and apps:

• The owner of the resource
• The resource server
• The client app
• The authorization server
• These roles are represented in the following image:

Role definition in the OAuth 2.0 specification

A resource owner is a person or app that has shared data. F acebook or Google users, for example, are resource-owners, and the resources they have are their data. R esource owner is described as human in the figure above, which is also the most common situation. B ut resource owner can also be an app. The OAuth 2.0 specification contains both possibilities.

A resource server is a server that hosts resources. For example, Facebook or Google are resource servers (or have a resource server).

A client app is an app that requests access to resources stored on a resource server. R esources are owned by the resource owner. The client app can be a third-party game that requests access to a user's Facebook account.

An authorization server is an authorized client app that has access to resources owned by the resource owner. T he authorization server and the resource server can be the same server, but not required. I f the two servers are separate, OAuth 2.0 does not discuss how the two servers should communicate. This is determined by the design of the resource server and the authorized server developer.