The XSUAA service, inside of the SAP BTP, handles the authorization flow between users, identity providers, and the applications or services. The XSUAA service is an internal development from SAP dedicated for the SAP BTP. In the Cloud Foundry project, there is an open-source component called UAA. UAA is an OAuth provider which takes care of authentication and authorization. SAP used the base of UAA and extended it with SAP specific features to be used in SAP BTP.
Learn more about the Cloud Foundry UAA here: https://docs.cloudfoundry.org/concepts/architecture/uaa.html
The XSUAA service takes care of authentication and authorization in SAP BTP, Cloud Foundry to give business users permission through business roles. The XSUAA service does not store users data or user records. The XSUAA service needs a trusted connection to an identity provider. This can be the SAP ID Service or another corporate identity provider which was integrated to the SAP BTP. This can be made via SAP Cloud Identity Services - Identity Authentication Service (IAS). Learn more about SAP's XSUAA service here: https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG/ae8e8427ecdf407790d96dad93b5f723/649961f8d4ad463daca33b3a20deba4c.html?locale=en-US and here: https://help.sap.com/docs/BTP/65de2977205c403bbc107264b8eccf4b/2ce1a962c3be48dd8035513b0a2d7397.html?locale=en-US
The XSUAA service acts as the central infrastructure component of the Cloud Foundry environment at SAP BTP for business user authentication and authorization. SAP has enhanced the Cloud Foundry UAA by adding a service broker, multi-tenancy, management API functions, and some minor enhancements. XSUAA uses OAuth to authenticate between several services and connecting to the identity provider.
OAuth is an open standard for applications and websites to handle authorization. OAuth doesn’t share password data, but instead uses authorization tokens to prove an identity between consumers and service providers. It is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password. The tokens used from OAuth are called JWT tokens. JWT (pronounced "jot") is an open standard that defines a compact and self-contained way for securely transmitting information between parties. JWT is widely used in OAuth for securely transmit user information and access rights.
Learn more about OAuth here: https://oauth.net/2/ and more about JWT Tokens here: https://jwt.io/introduction