14 OAuth 2 – Implementing the resource server
This chapter covers
- Implementing an OAuth 2 resource server with Spring Security.
- Implementing token validation by direct communication between the resource server and the authorization server.
- Using token stores to customize token management.
- Implementing token validation through blackboarding.
In this chapter, we discuss implementing a resource server with Spring Security. The Resource Server is the component that manages users’ resources. The name Resource Server might not be suggestive at the beginning. Still, it actually represents in terms of OAuth 2 the backend you secure (just like any other app we’ve secured in the previous chapters – remember, for example, the Business Logic Server we implemented in chapter 11?). To allow a client to access the resources, the Resource Server requires a valid access token. A client obtains the access token from the Authorization Server and can use this token to call resources on the Resource Server by adding it in the HTTP request headers. Figure 14.1 is a refresher from chapter 12 on the place of the Resource Server in the OAuth 2 authentication architecture.
Figure 14.1 The Resource Server is one of the components acting in the OAuth 2 authentication architecture. The Resource Server manages the users’ data. To call an endpoint on the Resource Server, a client needs to prove with a valid access token that the user approved them to work with their data.
