OAuth Actors


Resource Owner




OAuth Server


  1. Login - it could be:
    1. A simple login page which accept username and password and verify them against the credential database
    2. Enterprise Single Sign-On (SSO) which verify credential against Active Directory
  2. Consent Server - which get the consent of resource owner to provide access to the client for the listed resources
  3. Token database - a technical database storing token values and attributes

Both login and consent happen in the Authorization Endpoint.

OAuth Endpoints


  • Authorization EndpointGET /authorize
    • To get an authorization code which will be used to get a token (Authorization Code Grant)
    • To get Access Token directly (Implicit Grant)
  • Token Endpoint - POST /token
    • To create and get an Access Token or Refresh Token (for Authorization Code Grant, Client Credentials Grant, or Resource Owner Password Credentials Grant)
  • Verification Endpoint - /verify
    • Internally accessible by resource server to verify client's token
    • Not specified in the standard

Endpoint names are not standard and can be named differrently

Resource Server


OAuth Endpoints

  • Authorization Endpoint - provided by OAuth server
  • Token Endpoint- provided by OAuth server
  • Redirect Endpoint - provided by client
  • Resource Endpoint - provided by resource server

Authorization Endpoint


Token Endpoint


  • grant_type could be Client Credential Authorization Code or Resource Owner Password Credentials
  • code will be required for Authorization Code grant type which is created by Authorization Endpoint
  • Implicit grant does not use the Token Endpoint

Redirect Endpoint


Resource Endpoint


Token is like a subway ticket. Anyone who get the token can use it to access the resource. Client should secure the token.


  • Access Token (AT) is used by the client to access the resource. Usually have expiry date e.g. 30 days
  • Refresh Token (RT) is used by the client to get a new Access Token. Never be sent to the resource servers.
  • Authorization Code (Code) is usually valid for a couple of minutes which is enough for the client to use to get Access token. Never be sent to the resource servers.


  • Resource Owner Credential is used by only the resource owner and should never be given to anyone else
  • Client Credential is the client id and client secret registered at the OAuth server. This is used by the client to get Access Token from the OAuth server via the token endpoint.
  • Access Token is used by the client to get resource from the resource server.
  • Refresh Token is used by the client to get a new Access Token from the OAuth server
  • Authorization Code is used by the client to get an Access token

Client Registration

  • Before clients can access the resources, they must be first registered at the OAuth Provider.
  • Client must give Redirect URI and Required Scopes to the OAuth provider
  • Once successfully registered, the client get the ClientID and ClientSecret