Reputation: 1
How to decouple Authenticator Server and Resource Server in OAuth 2?
In my understanding, the Authenticator Server is in charge of Authenticate Code and Token, and the Resource Server need the Token to verify it.
So my solutions is that both them needs to connect the same OAuth database, or the Resource Server invoke the Authenticator Server to verify token, it seems they are coupled.
If I misunderstood something please correct me. Thanks in advance.
Upvotes: 0
Views: 419
Answers (2)
Reputation: 10996
As stated, you are correct. The OAuth 2.0 specifications do not describe how the Authorization Server and Resource Server interact.
-jim
Upvotes: 0
Reputation: 53958
You are correct: the Resource Server and the Authorization Server need to "understand" each other and thus can be considered coupled. They typically live in the same administrative domain. OAuth 2.0 has not standardized the interface between RS and AS in the core spec meaning that the connection between the two is implementation specific. There is a more recent extension specification that standardizes the API between RS and AS, which would make it easier to use an RS and an AS from different vendors/stacks: https://www.rfc-editor.org/rfc/rfc7662
Upvotes: 1
Related Questions
- OAuth 2: separating resource server and authorization server
- OAuth2 Architecture with 2 Resource Servers having their own Different Scopes
- Spring Boot 2, Separate AuthorizationServer and ResourceServer
- Separating OAuth2 Authorization Server and Resource Server
- How to configure oAuth2 when Authorization Server is also the Resource server
- OAuth2 Client And Resource Server in same application
- How to handle user registration in OAuth Server when it is separated from the Resource Server?
- Spring-boot oauth2 splitting authorization server and resource server
- OAuth 2.0 Authentication Server with multiple Resource Servers
- Separating Auth server and Resource server in oAuth 2.0