OAuth2 Resource Server

The OAuth2 component that hosts protected resources and accepts access tokens to authorize API requests from clients.

OAuth2 Resource Server is the server hosting protected resources (APIs, user data). It validates access tokens and serves resources when valid tokens with appropriate scopes are presented.

Responsibilities

Validate incoming access tokens
Check token scopes against required permissions
Serve protected resources to authorized requests
Return appropriate errors for invalid/expired tokens

Token Validation

// Request with Bearer token
GET /api/user/profile
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

// Resource server validates:
// 1. Token signature (if JWT)
// 2. Token expiration
// 3. Required scopes present
// 4. Token not revoked (if checking)

// Or introspects with auth server:
POST /introspect
token=eyJhbGciOiJSUzI1NiIs...

// Response
{
  "active": true,
  "scope": "read:profile write:profile",
  "client_id": "app123",
  "sub": "user456"
}

Security Considerations

Always validate tokens, never trust client claims
Verify token was issued for your resource server (audience)
Check scopes for each endpoint
Use HTTPS exclusively
Consider token binding for high-security scenarios

OAuth2 Resource Server

Responsibilities

Token Validation

Security Considerations

See Also