Search⌘ K
AI Features
Home
Courses
Modern OAuth 2.0 with Spring Security

Resource Server JWT Validation and Claim Mapping

Explore how to configure a stateless Spring Security resource server to validate JWT tokens using public keys and enforce strict security checks. Understand how to create custom audience validators, handle clock skew, and map token claims to Spring Security authorities for precise access control. This lesson also covers testing the setup with client credentials and securing API endpoints effectively.

We'll cover the following...

When building an OAuth 2.0 architecture, the authorization server issues tokens, but the resource server protects the actual data. A resource server operates statelessly. It does not handle user logins or maintain HTTP sessions. Instead, it intercepts incoming API requests, extracts the provided bearer token, and cryptographically verifies its authenticity. If the token is valid, the server inspects the internal claims to authorize access to specific endpoints.

We will build this verification layer using modern Spring Security components, ensuring that our APIs strictly validate incoming tokens and correctly map custom claims to internal security roles.

The stateless resource server model

A modern Spring Boot 4.0.6 and Spring Security 7 application acts as a resource server when we configure a SecurityFilterChain using the oauth2ResourceServer lambda DSL. This configuration instructs Spring Security to look for an Authorization: Bearer <token> header on incoming requests.

When a token is intercepted, the resource server must decode the JSON Web Token (JWT) and verify its signature. To do this, it relies on the public keys published by the authorization server via the modern /oauth2/jwks endpoint, which we established in the previous lesson.

The following diagram illustrates the life cycle of a request hitting the resource server.

Directional flow of a client accessing a protected resource using a JWT
Directional flow of a client accessing a protected resource using a JWT

By caching the public keys locally, the resource server can validate subsequent tokens without making repeated network calls, ensuring high performance while maintaining a stateless architecture. We can now implement the validation logic required to enforce these security ...