Authorization Servicesprovide Access Tokensto Clientson behalf of Usersthat they pass to a Serverto be granted access to resources.

In a basic model (as shown in Figure 22) the Serveris responsible for authorization (i.e. deciding what a user can do) while a separate identity provider (e.g. the operating system) is responsible for authentication (deciding who the user is).

In more complex models, the Serverrelies on external Authorization Servicesto provide some of its authorization requirements. These Authorization Servicesact in concert with an external identity provider which validates the user credentials before the external Authorization Servicecreates an Access Tokenthat tells the Serverwhat the user is a allowed to do. The Clientinteractions with these services may be indirect as shown in 6.2.2or direct as shown in 6.2.3.

Even when the Serverrequires the Clientto use an external Authorization Servicethe Serveris still responsible for managing and enforcing the Permissionsassigned to Nodesin its Address Space. The clauses below discuss the use of an external Authorization Service in more detail.