OAuth 2.0 Roles
OAuth 2.0 defines the following roles of users and applications:
- Resource Owner
- Resource Server
- Client Application
- Authorization Server
These roles are illustrated in this diagram:
|OAuth 2.0 roles as defined in the specification.|
The resource owner is the person or application that owns the data that is to be shared. For instance, a user on Facebook or Google could be a resource owner. The resource they own is their data. The resource owner is depicted in the diagram as a person, which is probably the most common situation. The resource owner could also be an application. The OAuth 2.0 specification mentions both possibilities.
The resource server is the server hosting the resources. For instance, Facebook or Google is a resource server (or has a resource server).
The client application is the application requesting access to the resources stored on the resource server. The resources, which are owned by the resource owner. A client application could be a game requesting access to a users Facebook account.
The authorization server is the server authorizing the client app to access the resources of the resource owner. The authorization server and the resource server can be the same server, but it doesn't have to. The OAuth 2.0 specification does not say anything about how these two servers should communicate, if they are separate. This is an internal design decision to be made by the resource server + authorization server developers.