Security Glossary

OAuth2 Authorization Server

The OAuth2 component that authenticates users, obtains authorization, and issues access tokens to clients after successful authentication.

OAuth2 Authorization Server is the component responsible for authenticating the resource owner (user), obtaining their authorization, and issuing access tokens to clients. Examples include Google, GitHub, and Facebook's authentication services.

Responsibilities

Authenticate the resource owner (user login)
Display consent screen for requested scopes
Issue authorization codes
Exchange codes for access/refresh tokens
Validate client credentials
Validate redirect URIs

Key Endpoints

// Authorization Endpoint - user-facing
GET /authorize
  ?response_type=code
  &client_id=...
  &redirect_uri=...
  &scope=...
  &state=...

// Token Endpoint - machine-to-machine
POST /token
  grant_type=authorization_code
  &code=...
  &client_id=...
  &client_secret=...

// Token Introspection (optional)
POST /introspect
  token=...

// Token Revocation (optional)
POST /revoke
  token=...

Security Considerations

Validate redirect_uri exactly (not just prefix match)
Bind authorization codes to client_id
One-time use for authorization codes
Short expiration for authorization codes
HTTPS required for all endpoints

OAuth2 Authorization Server

Responsibilities

Key Endpoints

Security Considerations

See Also