Spring Boot Security

OAuth2 Resource Server explained simply

A Spring Boot OAuth2 Resource Server is an API that protects endpoints by validating bearer tokens, usually JWTs, and converting token claims into permissions.

SecurityOAuth2JWTSpring Security

The Short Answer

An OAuth2 Resource Server is an application that protects resources, usually APIs.

In Spring Boot, this usually means your backend receives an access token, validates it, and decides whether the request is allowed.

The resource server is not usually the login screen. It is the API that says: “Is this request carrying a valid token, and does that token have permission?”

The Real Problem It Solves

Imagine you have a frontend app calling a Spring Boot API:

text
GET /api/products
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

The API needs to answer a few questions before returning data:

  • Is there a token?
  • Is the token valid?
  • Who is the user or client?
  • What scopes, roles, or permissions does the token contain?
  • Is this request allowed to access this endpoint?

Spring Security's OAuth2 Resource Server (dependency in Spring Initializr) support gives you a standard way to do that instead of writing token parsing and validation logic yourself.

Mental Model

1. Client

Frontend / Mobile App

Sends access token

2. Resource Server

Spring Boot API

Validates token

3. Authorization Server

Okta / Auth0 / Keycloak

Issues tokens

The authorization server issues the token. The client sends the token. The resource server validates the token and protects the API.

The Most Important Distinction

Many developers mix up these three roles:

Client

The application making the request. Example: React app, mobile app, another backend service.

Authorization Server

The system that logs users in and issues tokens. Example: Okta, Auth0, Keycloak, Azure AD.

Resource Server

The API being protected. In our case, the Spring Boot backend.

In this article, Spring Boot is the resource server. It is not responsible for showing the login screen. Its job is to protect APIs using the token it receives.

JWT Resource Server Flow

With JWTs, the token contains claims such as subject, issuer, expiration, scopes, and sometimes roles.

json
{
  "sub": "user-123",
  "iss": "https://auth.example.com",
  "scope": "products:read products:write",
  "exp": 1735689600
}

Spring Security checks whether the token is trustworthy. For JWTs, that usually means checking the token signature, issuer, expiration, and configured validation rules.

Request arrives
Token extracted
JWT validated
Controller runs

Basic Spring Boot Configuration

A typical Spring Boot resource server configuration may look like this:

java
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    return http
        .authorizeHttpRequests(auth -> auth
            .requestMatchers("/api/public/**").permitAll()
            .requestMatchers("/api/products/**").hasAuthority("SCOPE_products:read")
            .anyRequest().authenticated()
        )
        .oauth2ResourceServer(oauth2 -> oauth2
            .jwt()
        )
        .build();
}

This tells Spring Security that the application expects bearer tokens and should validate JWTs for protected endpoints.

Where Does the Public Key Come From?

If the authorization server signs JWTs with a private key, the resource server needs the matching public key to verify the signature.

In Spring Boot, this is often configured using an issuer URI:

java
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://auth.example.com

The resource server can use that issuer information to discover metadata and keys needed to validate incoming JWTs.

Important intuition: the API usually does not call the authorization server on every request just to ask, “Is this JWT valid?” For JWTs, the resource server can often validate the token locally using trusted signing keys.

Scopes vs Roles

Tokens often contain permissions as scopes:

json
scope: "products:read products:write"

Spring Security commonly maps scopes into authorities with the prefix SCOPE_.

json
hasAuthority("SCOPE_products:read")

Roles are a separate concept. Some systems put roles in custom claims, such as:

json
{
  "roles": ["ADMIN", "SUPPORT"]
}

If your identity provider sends roles in a custom claim, you may need custom mapping logic to convert those claims into Spring Security authorities.

Common Interview Follow-Ups

Is the resource server the same as the authorization server?

No. The authorization server logs users in and issues tokens. The resource server protects APIs and validates incoming tokens.

Does Spring Boot validate the JWT locally?

Usually yes for JWT-based resource servers. The API can validate the signature and claims using trusted public keys from the authorization server.

What is a bearer token?

A bearer token is a token where possession of the token is enough to make the request. That is why it must be protected carefully.

What is the difference between authentication and authorization here?

Authentication answers who the caller is. Authorization answers what the caller is allowed to do.

Where do scopes come from?

Scopes are usually added by the authorization server when it issues the access token.

Final Takeaway

A Spring Boot OAuth2 Resource Server is a protected API. It receives bearer tokens, validates them, converts token claims into security authorities, and uses those authorities to decide which requests are allowed.