The role it plays
The authorization server is the component that authenticates the user, gathers their consent, and then issues tokens that clients use to access protected resources. It is the trusted heart of an access control system.
It does not serve business data itself. Its job is to decide who may receive a token and to mint, refresh, and revoke those tokens.
What it manages
- Clients, meaning the apps allowed to request tokens, each with its own identity and secret.
- Grants, the flows by which a token is obtained, such as exchanging an authorization code.
- Token lifecycle, including issuing access tokens, rotating refresh tokens, and revoking them.
The issuing flow
A client redirects the user to the authorization server. After login and consent, the server returns a short lived code. The client exchanges that code at a back channel endpoint for tokens. Splitting the code from the token keeps the token off the browser address bar.
Why centralize it
Putting issuance in one place means consent, multi factor, and revocation are enforced consistently, and resource servers only need to trust this one issuer.
Key idea
The authorization server authenticates users, captures consent, and issues and revokes tokens so resource servers trust a single issuer.