OAuth2 Authorization Server

OAuth2 Authorization Server is the component responsible for authenticating the resource owner (user), obtaining their authorization, and issuing access tokens to clients. Examples include Google, GitHub, and Facebook's authentication services.

Responsibilities

• Authenticate the resource owner (user login)
• Display consent screen for requested scopes
• Issue authorization codes
• Exchange codes for access/refresh tokens
• Validate client credentials
• Validate redirect URIs

Key Endpoints

// Authorization Endpoint - user-facing
GET /authorize
  ?response_type=code
  &client_id=...
  &redirect_uri=...
  &scope=...
  &state=...

// Token Endpoint - machine-to-machine
POST /token
  grant_type=authorization_code
  &code=...
  &client_id=...
  &client_secret=...

// Token Introspection (optional)
POST /introspect
  token=...

// Token Revocation (optional)
POST /revoke
  token=...

Security Considerations

• Validate redirect_uri exactly (not just prefix match)
• Bind authorization codes to client_id
• One-time use for authorization codes
• Short expiration for authorization codes
• HTTPS required for all endpoints

See Also

• OAuth2
• OAuth2 Resource Server
• OAuth2 Redirect URI