When Integration Server acts as an authorization server, it receives authorization requests from client applications. Client applications initiate the request by invoking the pub.oauth:authorize service. The authorization server handles the interactions between the client application, resource server, and resource owner for approval of the request. For information about configuring Integration Server as an authorization server, see Configuring Integration Server for OAuth.

When Integration Server acts as an authorization server, it issues access tokens as bearer tokens. A bearer token is an access token that allows any party in possession of the access token (Bearer) to use the token. The authorization server retains the information about the bearer tokens it issues, including the user information. When the client presents a bearer token to the resource server, the resource server sends the token to the authorization server to ensure that the token is valid and that the requested service is within the scope for which the access token was issued. A scope is the definition of the folders and services (resources) that the client can access on behalf of a resource owner.

If the user is authorized to access the folders and services, the resource server executes the request. If the user does not have privileges to access the resources, the resource server rejects the request. For information about user privileges, see Managing Users and Groups.