OAuth 2.0 Authorization and OpenID Connect Authentication API

The OAuth 2.0 authorization model allows a client application to obtain access to a HTTP service or resource, either on behalf of the user who owns the resource or on behalf of the application itself. To do this, the application obtains an access token via the following operations:

• Push an Authorization Request

• Obtain Authorization

• Obtain a Token

• Verify an Access Token

• Revoke a Token

• Obtain Public Keys

• Log out

• Obtain OAuth 2.0 and OpenID Connect Metadata

When the OAuth authorization code grant flow is used, the application must use both operations. When the client credentials grant flow is used, the application directly obtains the token via the second operation. See [RSE_AUTH_INTEG] for an overview of the two use cases.

In both cases, the application uses the obtained access token to invoke the protected service or resource as described in Authorization for Using APIs.