Quiz Entry - updated: 2026.07.14
What are the four roles in an OAuth/OIDC flow?
Resource Owner (the user who owns the data), Client (the app asking for access), Authorization Server (issues the tokens), and Resource Server (hosts the protected data).
| Role | Who/What | Example |
|---|---|---|
| Resource Owner | The user (owns the data) | You |
| Client | App requesting access | Spotify mobile app |
| Authorization Server | Issues tokens, verifies identity | Google, Auth0, Keycloak |
| Resource Server | Hosts protected resources | Spotify's API servers |
Mnemonic: "Owner lets Client ask Auth Server for access to Resources"
Real-world example - "Login with Google" on Spotify:
- You (Resource Owner) click "Login with Google"
- Spotify (Client) redirects you to Google
- Google (Auth Server) verifies your identity, issues token
- Spotify uses token to fetch your profile from Google's API (Resource Server)
Tip: Authorization Server and Resource Server can be the same system (e.g., Google does both). In OpenID Connect terminology the client/app is also called the Relying Party (the app that relies on the identity provider).
Go deeper:
OAuth (Wikipedia) — the four roles (resource owner, client, authorization server, resource server) and the abstract delegated-authorization flow.