Authorization Server Overview(4.0)
The Authorization Server is hosted in the Platform. It is used for generating access tokens that are required for accessing REST APIs hosted by the HTTP/2 Server agent when the OAuth 2.0 Authentication feature is enabled in the HTTP/2 Server agent. Before using the Authorization Server, you will first need to go through the prerequisites mentioned in Bootstrapping Authorization Server Credentials and Secrets(4.0).
Client applications that wish to obtain access token from the Authorization Server must be registered first using the Authorization Server's Management API. Please refer to Section Management API(4.0) for information on the registration process. For more information on the HTTP/2 Server agent, see HTTP/2 Server Agent(4.0)
Once the client application has been registered, it can request for access token from the Authorization Server using the client id and secret that was by provided by the Authorization Server during the registration process. Each access token has an expiry time (in seconds) and can be only used for a limited period of time. Upon expiry, the client application will need request for another token from the Authorization Server.
After obtaining the access token, the client application will need to include access token in the HTTP Authorization header fields of the REST API Call request to the HTTP/2 Server agent. If the OAuth 2.0 Authentication feature is enabled in the HTTP/2 Server agent, then it will check for validity of the access token provided to ensure that it was a JSON Web Token (JWT) based token in the format such as generated by the Authorization Server and has not expired. Finally, the REST API Response will be generated based on the business logic implemented in the workflow containing the HTTP/2 Server agent.
HTTP/2 Server and Authorization Server architecture