I have been reading about OAuth, and not quite sure I understand.
From what I read, the following is what I think is going on:
The client (someone with a browser), tries to access a web service. The Web Service routes the request to a Identify Provider (or Authentication server). The user logs into the Identity provider. The Identity provider sends a token to the web service. This token says the user is trusted, and can stay logged in. The web service can now check the token to see what actions the user is authorized for.
Is this correct. Am I missing something?
Is there encryption involved ? If so where