Resource Server and Client in OAuth2/OIDC

I am making a simple frontend(movie-view) and backend(movie-api) application using Keycloak.

In Keyloak;

I have a client for both applications.

Movie-view-client → public

movie-backend-client → bearer-only or confidential

And I have 3 user and 3 role

User1 has Role1

User2 has Role2

User3 has Role3

I added and configured keycloak adapters for both my applications. I also added some authorizations for my api’s in my backend

Frontend receives an Access Token and ID Token via keycloak login. And by adding the Access Token to the header (Authorazation: Barear ey...) is sending requests to backend(movie-api) api’s.

There is no problem with the applications, the authorization works correctly. But I am confused about **ResourceServer - AccessToken** definitions in OAuth2/OIDC Protocols.

According to definitions; Access Token is the token that the client application (movie-view or movie-backend) sends to the Resource Server with a header to access some information.

But in this case; I am using the Access Token to authorize my client application (movie-backend).

In this case, is the resource server my movie-backend application (It means client and resource server are same)?

Hi @htnc ,

Typically we would refer the the “Client” as the medium a user interacts with. For example, a web browser. The “resource server” would the back-end with protected routes/information. The client will usually receive an access/ID token, and send it to the resource server as a header in the request that is sent.

If you’re simply using the access token to decide what routes the user is able to navigate to, you could consider the client to be the browser, and I’d probably consider the webserver the app runs on to be the resource server

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.