Search code examples
spring-securityoauth-2.0spring-security-oauth2

How OAuth 2.0 Authorization Server and Resources Server share tokens if they are in separate applications?

I want to know how Authorization server share tokens (Access tokens) with Resource Server if they are in a separate applications ?

I am using Spring OAuth 2.0 / Authorization Code Grant Type.

Solution

  • I just happen to have an excellent video that explains everything to you. Spend an hour on it. It's worth your time. I promise.

    Some definitions

    1. Client - an application that needs to access an API on a server
    2. Resource Server - an application that hosts a protected API
    3. Authorization Server - an application that issues tokens, that asserts the identity of a client

    The scenario is simple

    Let's say that there is an application called Photo Storage. All this application does is let's upload photo, download photo, update photo and remove photo.

    Photo Storage is a resource server.

    A mobile application is called Photo Editor and it knows how to edit photos. Photo Editor is a client

    Now, Photo Editor wants you to be able to login so that it can access your photos on the Photo Storage application. But Photo Storage doesn't know about Photo Editor (nor does it need to). But Photo Storage needs someone to vouch for Photo Editor, for that, we have an Authorization Server.

    It looks like this

    
    Photo Editor                 Photo Storage           Authorization Server

    Get Token  ------------authorization_code (https)----------->

    Download Photo ----token(https)---->

    Edit Photo (local)

    Upload Photo -----token(https)----->

    Here is what is nice about this:

    1. The Client, Photo Editor, knows about Photo Storage and Authorization Server
    2. The Resource Server, Photo Storage, knows of Authorization Server, but nothing about Photo Editor
    3. The Authorization Server knows about Photo Editor (client_id,client_secret) but it knows nothing about Photo Storage (but it can, if the Photo Storage also is a Client)

    The Client (Photo Editor) downloads the token from the Authorization server over a HTTP request. The token itself is a string. Can be encoded JSON (JSON Web Token, JWT) or it can be a unique arbitrary string.

    When the Client needs to access the Resource Server, it will invoke the HTTP API on the Resource Server and send the token up as part of the request in an HTTP header)

        GET /photo/download/1 HTTP/1.1
    Authorization: Bearer dsadsadsadasdasdasda.....

    The Resource Server will validate the token, either internally or contact the Authorization Server, and based on the result, it allows the call from the Client or rejects it.

    I hope this helps. As I said, the video will explain this in better detail with examples.

    The TL;DR answer to your question is that the token is just a string, and it is sent up as part of the HTTP request. The applications can all sit on different servers (Client -> smart phone, Resource Server -> Amazon AWS Server, Authorization Server -> Google Cloud Server)