• The authorization server issues access tokens to the client after the resource owner has been authenticated and has authorized the client to access the requested resource scopes.
• In Digital Access component, this is the Policy Service (protected by and accessed through the Access Point), which exposes its services through two REST endpoints; /authorize and /token.

• A resource server is an entity that stores a protected resource.
• In Digital Access component, this is the Access Point, even though it does not actually store any resource. As a reverse proxy it can seamlessly extend any resource with OAuth 2.0 access token validation without the resource needing any knowledge of OAuth 2.0.

• A resource owner is an entity that owns a specific resource (data) and is capable of granting a client access to that resource.
• In Digital Access component this is a user. Can also be referred to as an ‘end-user’.

• A client is an application that wants to access a protected resource on behalf of a resource owner. There are two types of clients in OAuth 2.0, confidential clients and public clients.
• A confidential client is a client that can keep a secret (for example, an application executing on a secure server)
• A public client is a client that cannot keep a secret (for example, a mobile device or web app).
• In order to get access to the resource the client must first obtain a token through one of the token grant flows. A token gives access to a specific set of scopes that must be defined before registering a client.

A scope refers to a collection of one or more resources that are protected by OAuth 2.0.

An access token is issued to a client in order to allow that client to access one or more scopes on behalf of a specific resource owner.