OAuth2 Resource Server

OAuth2 Resource Server is the server hosting protected resources (APIs, user data). It validates access tokens and serves resources when valid tokens with appropriate scopes are presented.

Responsibilities

• Validate incoming access tokens
• Check token scopes against required permissions
• Serve protected resources to authorized requests
• Return appropriate errors for invalid/expired tokens

Token Validation

// Request with Bearer token
GET /api/user/profile
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

// Resource server validates:
// 1. Token signature (if JWT)
// 2. Token expiration
// 3. Required scopes present
// 4. Token not revoked (if checking)

// Or introspects with auth server:
POST /introspect
token=eyJhbGciOiJSUzI1NiIs...

// Response
{
  "active": true,
  "scope": "read:profile write:profile",
  "client_id": "app123",
  "sub": "user456"
}

Security Considerations

• Always validate tokens, never trust client claims
• Verify token was issued for your resource server (audience)
• Check scopes for each endpoint
• Use HTTPS exclusively
• Consider token binding for high-security scenarios

See Also

• OAuth2
• OAuth2 Authorization Server
• OAuth2 Access Token