OAuth 2.0 concepts

This topic introduces the main concepts of OAuth 2.0.

The following concepts are generally used in OAuth 2.0.

Resource owner
An entity capable of authorizing access to a protected resource. When the resource owner is a person, it is called an user.
OAuth client
A third-party application that wants access to the private resources of the resource owner. The OAuth client can make protected resource requests on behalf of the resource owner after the resource owner grants it authorization. OAuth 2.0 introduces two types of clients: confidential and public. Confidential clients are registered with a client secret, while public clients are not.
OAuth server
Known as the Authorization server in OAuth 2.0. The server that gives OAuth clients scoped access to a protected resource on behalf of the resource owner. The server issues an access token to the OAuth client after it successfully does the following actions:
  • Authenticates the resource owner.
  • Validates a request or an authorization grant.
  • Obtains resource owner authorization.
An authorization server can also be the resource server.
A property requested by the OAuth client, to specify the scope of the access request. The scope is used by the caller to tag the intended use of the token. The authorization server can use the scope response parameter to tell the client the scope of the access token that was issued. Scopes are usually shown on the consent page, so that a user can understand the client's intended use of the token. Common scopes include profile and email.
Access token
A string that represents authorization granted to the OAuth client by the resource owner. This string represents specific scopes and durations of access. It is granted by the resource owner and enforced by the OAuth server.
Bearer token
Token issued from the token endpoint. This includes an access token and potentially a refresh token. See http://tools.ietf.org/html/rfc6750 for more information on bearer tokens.
Protected resource
A restricted resource that can be accessed from the OAuth server using authenticated requests.
Resource server
The server that hosts the protected resources. It can use access tokens to accept and respond to protected resource requests. The resource server might be the same server as the authorization server.
Authorization grant
A grant that represents the resource owner authorization to access its protected resources. OAuth clients use an authorization grant to obtain an access token. There are four authorization grant types: authorization code, implicit, resource owner password credentials, and client credentials.
Authorization code
A code that the Authorization server generates when the resource owner authorizes a request.
Refresh token
A string that is used to obtain a new access token.
A refresh token is optionally issued by the authorization server to the OAuth client together with an access token. The OAuth client can use the refresh token to request another access token that is based on the same authorization, without involving the resource owner again.