OAuth 2.0 Demystified: Understanding the Four Roles

The OAuth 2.0 Authorisation Framework or, OAuth 2.0, is defined in RFC6749. It is an authorisation specification. By authorisation we specifically mean to grant someone access to something you own such as your banking transactions.

Let's assume that I have created the best alternative banking mobile app in the world and you want to use it. The mobile app needs access to your bank account so that it can transfer funds, pay your beneficiaries and get your latest account balance.

In the OAuth 2.0 world, you are known as the Resource Owner - since it's your bank account or resource.

How does the mobile application get access to your bank account? Well, when you load your bank account into the mobile application for the first time, it will request you to login to your bank (we are, of course, assuming that your bank is also using OAuth 2.0). The server at the bank you login to is known as the Authorisation Server - it will tell the bank account server whether the mobile application is allowed to access your bank account or not.

The mobile application is known as the Client in the OAuth 2.0 world as it will act on your behalf. The server where your bank account is stored is called the resource server.

At this point we have identified the four roles in the OAuth 2.0 Authorisation Framework, viz.,

• the resource owner (that's you),
• the resource server (the server on which your bank account is stored),
• the client (alternative banking app) and,
• the authorisation server (bank's security server).