I'm currently studying OAuth 2.0 and OpenID Connect and I have a doubt regarding the Authorization Server and Access Tokens. The spec defines the Authorization Server as:
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
So as I understood, the client redirects the user to the Authorization Server, the user authenticates itself at the Authorization Server and the Authorization Server issues an access token to the client.
Now here comes a thing I couldn't understand until now. There are two possible ways to understand this and I'm trying to get the right one:
The Authorization Server issues the access token containing the user's claims. The access token with the user's claims is sent with each request to the resource server and the resource server is able to read those claims and based on then allow or deny access to resources.
The Authorization Server issues the access token already containing explicit instructions to allow or deny access to resources on the resource server. The resource server thus just reads this information to see if the user can do something or not.
The first option seems to be right way to understand the thing. In that case the Authorization Server will manage the user's claims and issues tokens containing just the claims (things like birthday, age, role and so on). This, in turns gives another responsibility to the resource server: deciding based on claims if a resource is available or not.
The second option is much more limited. Instead of just issuing claims the authorization server would need to issue authorization for each resource, and the token could get quite heavy and mananging this complexity seems to be hard.
So is my understanding correct? The Authorization is thus responsible for managing user claims and issuing token containing just the claims? On the other hand the resource server is responsible for allowing or not the access to resources based on claims?
