Konubinix' opinionated web of thoughts

Resource Server Does Not Need to Know About the Resource Owner


resource server does not need to know about the resource owner

The access token gives access to some data. By construction, the system should ensure that this data actually belong to the resource owner.

But as far as the resource server is concerned, it only needs to check the token and provide the date that is unlocked by this token. No identity check is needed here.

The identity check and permissions and whatever is already done ahead in the flow by the authorization server.

Notes linking here