Java| Authorization Server | Resource Server | |
|---|---|---|
| Vai trò | Identity provider — phát token | Bảo vệ API — validate token |
| Trách nhiệm | Xác thực user, phát JWT, quản refresh token, revocation | Verify token, check scope, cho phép/từ chối request |
| Spring library | spring-authorization-server | spring-security-oauth2-resource-server |
| Quan hệ | 1 AuthServer → N Resource Server |
Resource Server config (Spring Security 6):
@Bean
SecurityFilterChain filter(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(a -> a
.requestMatchers("/api/admin/**").hasAuthority("SCOPE_admin")
.anyRequest().authenticated()
)
.oauth2ResourceServer(o -> o.jwt(j -> j.jwkSetUri(
"https://auth.example.com/.well-known/jwks.json"
)))
.build();
}Validate process của Resource Server (local, không gọi auth server):
1. Lấy public key từ JWKS endpoint (cache).
2. Verify chữ ký JWT.
3. Check claim: iss (issuer), exp (expiration), aud (audience), scope.
Thực tế 2026: đa số dùng auth server bên thứ ba — Keycloak (self-hosted, open-source), Auth0/Okta (managed). Spring app chỉ làm Resource Server. Tự viết Authorization Server chỉ khi có nhu cầu đặc biệt (multi-tenant, custom flow).
| Authorization Server | Resource Server | |
|---|---|---|
| Role | Identity provider — issues tokens | Protects APIs — validates tokens |
| Responsibilities | Authenticates users, issues JWTs, manages refresh tokens, revocation | Verifies tokens, checks scopes, allows/denies requests |
| Spring library | spring-authorization-server | spring-security-oauth2-resource-server |
| Relationship | One AuthServer → N Resource Servers |
Resource Server config (Spring Security 6):
@Bean
SecurityFilterChain filter(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(a -> a
.requestMatchers("/api/admin/**").hasAuthority("SCOPE_admin")
.anyRequest().authenticated()
)
.oauth2ResourceServer(o -> o.jwt(j -> j.jwkSetUri(
"https://auth.example.com/.well-known/jwks.json"
)))
.build();
}Resource Server validation (local, no call to auth server):
1. Fetch public keys from the JWKS endpoint (cached).
2. Verify the JWT signature.
3. Check claims: iss (issuer), exp (expiration), aud (audience), scope.
In 2026 practice: most teams use third-party auth servers — Keycloak (self-hosted, open-source), Auth0/Okta (managed). Spring apps act as Resource Servers. Build your own Authorization Server only for special needs (multi-tenant, custom flows).