There was a discussion today that I did not really agree so I figured I'd ask others in the community to see if someone else can chime in.
I have REST services that are running on an application server like JBoss for example. I want to expose services externally using the Authorization Grant with OAuth 2.0 Let us say that the OAuth 2.0 dance is taken care of by the CA Gateway. I still need to authenticate in my JBoss server.
The discussion is around who the authenticated party on the JBoss server is. Is it the resource owner (the person that granted the access) or is it the client-id that was used to request the OAuth token.