LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the four roles in an OAuth/OIDC flow?

Resource Owner (the user who owns the data), Client (the app asking for access), Authorization Server (issues the tokens), and Resource Server (hosts the protected data).

Role Who/What Example
Resource Owner The user (owns the data) You
Client App requesting access Spotify mobile app
Authorization Server Issues tokens, verifies identity Google, Auth0, Keycloak
Resource Server Hosts protected resources Spotify's API servers

Mnemonic: "Owner lets Client ask Auth Server for access to Resources"

Real-world example - "Login with Google" on Spotify:

  1. You (Resource Owner) click "Login with Google"
  2. Spotify (Client) redirects you to Google
  3. Google (Auth Server) verifies your identity, issues token
  4. Spotify uses token to fetch your profile from Google's API (Resource Server)

Tip: Authorization Server and Resource Server can be the same system (e.g., Google does both). In OpenID Connect terminology the client/app is also called the Relying Party (the app that relies on the identity provider).

Go deeper:

  • doc OAuth (Wikipedia) — the four roles (resource owner, client, authorization server, resource server) and the abstract delegated-authorization flow.

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026