1. Authorization Server Overview

The Authorization Server is hosted in a  Service Context (SC). It is used for generating access tokens that are required for accessing REST APIs hosted by the REST Server agent when the OAuth 2.0 Authentication feature is enabled in the REST Server agent. Client applications that wish to obtain access token from the Authorization Server must be registered first using the Authorization Server's Management API. Please refer to Section 4. Management API for information on the registration process. For more information on the REST Server agent, see 9.66 REST Server Agent

Once the client application has been registered, it can request for access token from the Authorization Server using the client id and secret that was by provided by the Authorization Server during the registration process. Each access token has an expiry time (in seconds) and can be only used for a limited period of time. Upon expiry, the client application will need request for another token from the Authorization Server.

After obtaining the access token, the client application will need to include access token in the HTTP Authorization header fields of the REST API Call request to the REST Server agent. If the OAuth 2.0 Authentication feature is enabled in the REST Server agent, then it will check for validity of the access token provided to ensure that it was a JSON Web Token (JWT) based token in the format such as generated by the Authorization Server and has not expired. Finally, the REST API Response will be generated based on the business logic implemented in the workflow containing the REST Server agent



REST Server and Authorization Server architecture