This is the server that authenticates and authorizes client applications to access the secured resources owned by the resource owner and on the resource server. It is not uncommon to see the same server performing both roles.

To participate in OAuth, your application has to first register with the service provider (Google , Facebook, and so on) against which you plan to authenticate by providing the application name, application URL, and callback URL. Successful registration of your application with the service provider gives you two values unique to your application: client application_id and client_secret. client_id can be exposed publicly but client_secret is kept hidden (private). Both these values are needed whenever you access the service provider. The following diagram shows the interactions between these roles:

The steps in the preceding diagram are covered in detail here:

1. The client application requests the resource owner to give them authorization to access the secured resources
2. If the resource owner authorizes this, the authorization grant is sent to the client application 
3. The client application asks for a token, using the grant provided by the resource owner along with authentication credentials from the authorization server
4. If the credentials and grant from the client application are valid, the authorization server issues an Access Token to the client application
5. The client application accesses the protected resources on the resource server using the Access Token provided
6. If the Access Token sent by the client application is valid, the resource server gives access to the secured resources