Upon successful authentication, the resource owner must make a decision to authorize the client to access the protected resource.