Konubinix' opinionated web of thoughts

Three Worlds Analogy


three worlds analogy of OAuth 2.0

When trying to grasp the meaning of oauth 2.0 flows using self-encoded access tokens, I realized it was easier that way.

There are three worlds

  1. the world of real people, with names, addresses etc
  2. the world of JWT claim, composed of (key, value) data,
  3. the world of resources, whose nature depends on the domain.

The two servers defined in oauth 2.0 are translators between those worlds.

  1. the authorization server translates stuffs from the world of people to the world of claims,
  2. the resource server translates stuffs from the world of claims to the world of resources.

More precisely, the standard flow is like this:

  1. the client asks the user and the authorization server to privately discuss, so that the authorization transforms a people decision to a set of claims (contained in the access token).
  2. the authorization server provides this token to the client that in turn gives it to the resource server.
  3. the resource server translates this token into use of resources

On this flow, we can see that the resource server does not need to understand how the world of people work. It does not even need to assume that it exists. What only matters to it is the notion of claims and how those map to use of resources.

Similarly, the authorization server only needs to know how to produce claims, without assuming the existence of resources.

What glues those worlds is the designer of the system that ensures that the translation make sense and that a story of the form “user A can use resource R” can be lived.

Notes linking here