This chapter covers
- Implementing a Spring Security OAuth 2 resource server
- Using JWT tokens with custom claims
- Configuring introspection for opaque tokens or revocation
- Implementing more complex scenarios and multitenancy
This chapter discusses securing a backend application in an OAuth 2 system. What we call a resource server in OAuth 2 terminology is simply a backend service. While in chapter 14 you learned how to implement the authorization server responsibility using Spring Security, it’s now time to discuss how to use the token the authorization server generates.
In real-world scenarios, you might or might not implement a custom authorization server like we did in chapter 14. Your organization might use a third-party implementation instead of creating custom software. You can find many alternatives out there, ranging from open-source solutions such as Keycloak to enterprise products such as Okta, Cognito, or Azure AD. An example with Keycloak is available in chapter 18 of the book’s first edition.
While you have options to configure an authorization server without needing to implement your own, you’ll have to implement the authentication and authorization on your backend properly. For that reason, I think this chapter is essential; the skills you learn by reading it have a high probability of helping you with your work. Figure 15.1 reminds you about the OAuth 2 actors and where we are at with our learning plan for this book part.