In a business setup, you may want to grant access to only specific resources. In OAuth 2.0, access permissions can be defined depending on the user, the application, and the OAuth 2.0 scope.
You registered your OAuth 2.0 client at the OAuth 2.0 authorization server.
The client must know the token endpoint.
The resource owner has configured the client so that it knows the resources it wants to access and the scopes to which they belong.
The user must be allowed to delegate access to these scopes to the respective OAuth 2.0 client.
A resource owner wants to grant a printing service access to protected photos stored at a photo-sharing service (resource server) without sharing his or her user name and password with the printing service. The resource owner uses a browser as a user agent and wants to access his or her resources on the resource server, for example, an SAP NetWeaver Application Server ABAP. The browser sends an authorization code request to the authorization server. The authorization server authenticates the resource owner and issues an authorization code representing the selected set of OAuth 2.0 scopes to the OAuth 2.0 client. The OAuth 2.0 client receives the authorization code and sends an access token request, which includes the authorization code, to the authorization server. The authorization server receives the access token request at its token endpoint and validates it. If the validation of the authorization code is successful, it issues an access token. Finally, the resource owner can use this access token to access the protected resource and grant access to the printing service.
Both, the authorization server and the resource server reside in the AS ABAP although they are separate components.
For more information, see Configuring OAuth 2.0.