There are several terms that are used during the discussion which confuse some of the non-tech guys or beginners. Tried to write about it in a very short & simplified way.
OAuth2 is an Authorization framework and version 2 of OAuth. It authorizes third-party applications to access the resources or delegates user authentication to the services. OAuth focuses more on authorization and indirectly on authentication.
Client: An application wants to access the data.
Resource Server: A server that has data required by the client application.
Authorization Server: Provides access token to the client.
Resource Owner: User.
So, the Client Application sends a request to access data from Resource Server and the resource server collects all of it and sends it back to the client. But what if the app is malicious software? It will have access to all your data which was not meant to be disclosed.
How to avoid it?
Here, the Access token comes into the picture. The Access token will be shared with the request to the resource server to verify and accordingly share the data. The Access token acts as an entry pass.
And another type of token is the Refresh token. It is never sent in each request from the client to the resource server. It is sent to the authorization server only when needs to renew the access token and it has expired.
Now the question arises of who provides the access token.
The Client requests an authorization server to issue the access token and send it to Resource Server. The Authorization server asks the Resource owner to grant the requested permission to the client application. As per the response from the Resource owner, the Authorization Server generates access tokens and shares the token with the client application.
How to use the Access Token :
Request Parameter (https://api.hashnodeexample.com/id?access_token=QhwuQosKLOa)
Authorization header (Authentication: Bearer QhwuQosKLOa)