the_coder_in_me
Reputation: 143
For OAuth, does the protected resource belong to the authorization server always?
I have been reading about OAuth and OpenID quite a lot and get the part that OAuth protocol is an authorization protocol and not an authentication protocol. So if the Authorization Server in OAuth has the right to generate Access tokens for a Protected resource that might be hosted on a separate server, does that mean that the protected resource belongs to the same party as the OpenId Provider or OAuth Server?
Can the Protected Resource belong to some other organization. If yes, is there a standardized protocol by which the protected resource server validates the Access Token
Upvotes: 0
Views: 68
Answers (1)
Takahiko Kawasaki
Reputation: 19001
RFC 7662 (OAuth 2.0 Token Introspection) is the standard way.
Upvotes: 1
Related Questions
- How OAuth resource server receives access token?
- OIDC, OAuth2.0 and role of access token when OAuth client application and resource server are not different
- OAuth 2.0 - role of the resource server, authorization server and the resource owner
- oauth2 - How does resource server know if user authorized?
- How access token is validated for accessing protected resources in token based mechanism?
- OpenID Connect - should the id token be sent to the protected resource in this case?
- In OAuth2, does the Authorization Server send the auth code directly to the Client, or to the Client through the Resource Owner?
- How does the Resource Server understand the Access Token in OAuth 2.0?
- Who is the resource owner?
- What is the proper way to handle protected resources in Oauth 1.0a?