Skip to end of banner
Go to start of banner

OAuth 2.0 and OpenID Connect Flows

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

OAuth 2.0 and OpenID Connect are industry standard protocols for authenticating users and authorizing third-party applications to access Web APIs on behalf of a resource owner approving that access or by allowing those third-party applications to access those APIs directly.

In OAuth 2.0, the entities involved in this exchange include the following:

  • Resource Owner – This is the user who owns the resource or data, such as their profile information, that is being requested by the application. 
  • Client Application – This is the application that is requesting the user's data. To call EmpowerID APIs, this application must be registered in EmpowerID.
  • Authorization Server – This is the identity store that knows about the resource owner and can verify their identity and issue tokens to authorize access to the requested resources.
  • Access Token – This is the key issued by the Authorization server to allow the client application to access requested resources from the resource server.
  • Resource Server – This is the API endpoint or server where the user's resources live.


A basic representation of these entities in an OAuth 2.0 flow is shown below:


  • No labels