There are four basic roles in OAuth 2 that need to be understood: the resource owner, the client, the authorization server and the resource server. The authorization server issues access tokens which can then be used by clients (such as mobile apps) when making requests of protected resources on behalf of users or other clients. Authorization servers should always validate all incoming requests for security vulnerabilities such as SQL injection or XSS before issuing access tokens.

The Resource Owner

This is your user who has been authenticated via username/password credentials and now wants some data from your API(s)
https://t.co/KfIeT2kc1v