OAuth 2.0 and OpenID Connect terminology.
The entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
Resource Server
The server hosting the protected resources. Also known as the API server. It accepts and responds to protected resource requests using access tokens.
An application making protected resource requests on behalf of the resource owner. The term "client" does not imply any particular implementation (server, desktop, mobile, etc.).
Authorization Server
The server that issues access tokens to the client after authenticating the resource owner and obtaining authorization. Authority is an authorization server.
A credential used to access protected resources. Access tokens represent the authorization granted to the client. Authority issues JWTs as access tokens.
A credential used to obtain new access tokens. Refresh tokens are issued with access tokens and allow clients to get new tokens without user interaction.
A JSON Web Token (JWT) that contains claims about the authentication event and the user. Part of OpenID Connect.
Authorization Code
A short-lived code returned after user authorization. Exchanged for access tokens at the token endpoint.
A code used in the device authorization flow. Displayed to users who authorize on a separate device.
The method used to obtain an access token. Common types:
Authorization Code - Web applications
Client Credentials - Machine-to-machine
Device Code - IoT devices, CLIs
Refresh Token - Token renewal
A string that defines the access level requested by the client. Examples: read, write, openid, profile.
The URL where the authorization server redirects after authorization. Also called callback URL.
A random value used to prevent CSRF attacks during the authorization flow.
PKCE (Proof Key for Code Exchange)
An extension that protects authorization code flow against interception. Pronounced "pixie".
A random string used in PKCE. Created by the client before authorization.
A transformation of the code verifier. Sent in the authorization request and verified during token exchange.
Confidential Client
A client capable of maintaining the confidentiality of its credentials. Typically server-side applications.
A client that cannot maintain secret credentials. Mobile apps, SPAs, and native applications.
First-Party Client
A client owned by the same entity that operates the authorization server. Trusted with user credentials.
Third-Party Client
A client owned by a different entity. Should never directly handle user credentials.
Pieces of information about a user. Examples: name, email, sub.
UserInfo Endpoint
An endpoint that returns claims about the authenticated user.
The mechanism to automatically find authorization server endpoints and capabilities.
JWKS (JSON Web Key Set)
A set of public keys used to verify token signatures.
A random value sent in the authorization request and included in the ID token to prevent replay attacks.
MFA (Multi-Factor Authentication)
Authentication requiring multiple verification methods. Authority supports TOTP-based MFA.
TOTP (Time-based One-Time Password)
A temporary passcode generated by an authenticator app. Changes every 30 seconds.
A server-side record of a user's authentication state. Persists across requests.
Token Introspection
A mechanism for resource servers to query the authorization server about a token's current state.
Token Revocation
The process of invalidating a token before its natural expiration.
The user's explicit approval of the scopes requested by a client.
A record of security-relevant events for compliance and monitoring.
Account Lockout
Temporarily blocking access after multiple failed authentication attempts.
JWT (JSON Web Token)
The first part of a JWT containing the token type and signing algorithm.
The second part of a JWT containing claims about the subject.
The third part of a JWT used to verify the token hasn't been tampered with.
The entity that issued the token. For Authority tokens, this is the server URL.
The identifier of the principal (user) the token is about.
The intended recipient of the token. Typically the client ID.
Expiration (exp)
The timestamp after which the token should not be accepted.
The OAuth 2.0 Authorization Framework specification.
OAuth 2.0 Bearer Token Usage specification.
Proof Key for Code Exchange (PKCE) specification.
Device Authorization Grant specification.
OpenID Connect Core 1.0
The specification for identity layer on top of OAuth 2.0.