In the OAuthv2 authorization grant, a “client app” authenticates itself against an “auth server”, and receives an “access token” for accessing resources living on a “resource server”.
My concerns:
- How does the resource server know that the access token is valid (not forged or expired)? Is there some underlying background communication between resource server and auth server?
- How does the resource server know the scope of the access token (read or write)? For instance, maybe when the client app was authorized, the user only authorized it for READ ONLY, but now the client app is trying to modify resources. How does the resource server protect against this?
- Obviously in the real world there needs to be more fine-grained roles/scopes other than just READ and WRITE. For instance a web service might need to allow WRITEs to certain users/client, but only for certain resources, or resources under the right conditions. How do the built-in OAuthv2 scopes get mapped to app-specific roles/permissions?