In this post, we’ll delve into some key concepts of the OAuth 2.0 Authorization Framework . Understanding OAuth 2.0 is crucial for working with APIs that are protected by this mechanism. OAuth 2.0 defines four main roles:

• Resource Owner: the entity (often a person) that grants access to a protected resource.
• Resource Server: the server hosting the protected resource.
• Client: the application that needs to access a protected resource and is authorized by the resource owner.
• Authorization Server: the server that issues an access token to the client after the resource owner has authenticated and authorized the client’s access to the protected resource.

From our perspective, the resource server and authorization server can be a single entity and typically exist within the same security perimeter.

OAuth 2.0 supports various workflows, known as grant types. Four types of workflows are defined, but two are the most commonly used:

• Authorization Code (3-legged): Preferred when the client is a web application running on a server and the resource server is owned by a third party.
• Client Credentials (2-legged): Necessary for machine-to-machine interactions. In this scenario, the client is also the resource owner, meaning no user authorization is needed.

Continue reading the post on Patreon .