Do I need resource server with Spring Security OAuth2?

Question

I am trying implement OAuth2 authentication with JWT tokens. If I understand, I need send credentials to authorization server, this verify my credentials, and return back si

Answer 1

Yes, you will want to configure the resources protected by your JWT's by extending ResourceServerConfigurerAdapter. A basic implementation might look like this

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

}

This means you should have no need to extend WebSecurityConfigurerAdapter because the above configuration configures the same HttpSecurity object that you would be configuring in WebSecurityConfigurerAdapter. The public void configure(HttpSecurity http) works on the same thing in both classes.

The reason we want to choose ResourceServerConfigurerAdapter over WebSecurityConfigurerAdapter is because it's part of the spring-security-oauth2 module that you are using, and will be used behind the scenes by the framework.

You will of course need to make sure that you are using the same signing key for both your authorization and resource servers. If you are defining your security config beans in the same application the resource server will automatically use the same beans, if not then you will need to duplicate whatever JWT related config you have on your authorization server.