OAuth contains the following actors:
| Actors | Description |
| Resource Owner | End user who accesses the resource hosted on the resource server |
| Client | A web application or a mobile application that is authorized to access the resource on behalf of the resource owner |
| Authorization Server | Authorization server where the client application is registered and returns the access token |
| Resource Server | Web API or web service that provides access to the data |
| User Agent | Browser or any device that runs the application |
Following is the logical representation of OAuth flow:
The resource owner is the end user who wanted to access the resource (API) from the resource server. Resources hosted inside the resource server are protected resources and the resource server needs an access token from the client accessing the resources. Client responsibility is to pass the access token on every request when accessing the resource where the access token can be retrieved from an authorization server.
There are two types of clients; confidential clients and public clients. A web application is an example of a confidential client that maintains the client ID and client secret on the server. Whereas public clients are native mobile applications that install on each device, or a user agent-based application that uses JavaScript to access resources and stores client ID, and client secrets in the JavaScript itself.