What are the different servers called in an OAuth flow?
-
I want to know what the different servers involved are called in the OAuth flow using JWTs. I know one of the servers issues the JWT, and the other server validates the JWT, but I don't know what these servers are named. Can you tell me?
-
The server that issues and signs the JWT is called the Authorization Server. This is what FusionAuth is, as we issue and sign the JWTs which are then presented to other servers via API calls.
The servers that are connected to resources that a user is trying to access by first authenticating with a JWT are called Resource Servers.
So, for example, if you have a ToDo app, where a user is trying to access a list of ToDo items, the user would first authenticate with the external IdP. Then the JWT is issued by that IdP, passed to the client, and then the client would present that JWT to the resource server to gain access to the ToDo items.
For what it's worth, in SAML the auth server coincides with the IdP, and the resource server coincides with the Relying Party.