nitewulf
The only bit that I don’t see explained is this bit "the Access Token is just a string of gibberish to pass with any request to the Resource Server, and the Resource Server knows if the token is valid. "
How? What is the link between the Resource Server and the Authorization server, especially if they are in different domains?