Difference between resource and client in OAuth2

Question

I'm developing an authentication/authorization system in Node Js for a microservice based application.

I read some articles and documentation about the OAuth2 standard but I need some clarification for my use case. Basically OAuth2 has some actors like:

• Resource owner (user)
• Client app (a web application in some OAuth2 grant flows like authorization code, implicit, password)
• Authorization server
• Resource server (service I want to access to)

So in my database I store a client (web application) with its client_id and client_secret.

Let's suppose that one of my microservice needs to access data from another microservice. Both of them espose a REST Api. There is no interaction with user, all is done in the background. In this case I would use the client credential flow. Following OAuth2 rules, both of them are resource servers but in the same time it looks like they are client apps as well.

So should I register them in the client DB table/collection with client id, secret etcetera or did I make some mistakes?

Thank you

Answer 1

If I understood your question correctly, the caller micro-service is your client and the one that is being called is your resource. A lot depends on what type of micro-service communication pattern have you implemented. If you are implementing an "API Gateway" pattern, then your Gateway is always client and all other micro-services can be treated as resources. But if your micro-services can call each other then like you mentioned each one of them have to be registered as client and resource at the same time.