Spring/Spring Security

[Spring Security] 8-1. OAuth2 Resource Server

noahkim_ 2026. 5. 15. 18:00

1. OAuth2 Resource Server

  • 보호된 자원을 관리하는 서버
  • ✅ 보호된 자원의 요청에 대한 인증 과정을 담당함

 

Protect Access with an OAuth2 Access Token

구분 설명 검증
JWT 자체 서명 토큰 public key 사용
Opaque Token 토큰 내용을 알 수 없는 토큰 인정 서버의 introspection 엔드포인트에 확인 요청

 

설정) JWT

더보기
더보기 
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://my-auth-server.com
@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
            .oauth2ResourceServer(oauth2 -> oauth2.jwt());
            
        return http.build();
    }

    @Bean
    public JwtDecoder jwtDecoder() {
        return JwtDecoders.fromIssuerLocation("https://my-auth-server.com");
    }
}

 

설정) Opaque Token

더보기
더보기 
spring:
  security:
    oauth2:
      resourceserver:
        opaquetoken:
          introspection-uri: https://my-auth-server.com/oauth2/introspect
          client-id: my-client-id
          client-secret: my-client-secret
@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
            .oauth2ResourceServer(oauth2 -> oauth2.opaqueToken());
        
        return http.build();
    }

    @Bean
    public OpaqueTokenIntrospector opaqueTokenIntrospector() {
        return new SpringOpaqueTokenIntrospector(
            "https://my-auth-server.com/oauth2/introspect",
            "my-client-id",
            "my-client-secret");
    }
}

 

Protect Access with a custom JWT

  • 발급된 Access Token을 검증하는 방법
  • ✅ BearerTokenAuthenticationFilter + JwtAuthenticationProvider (NimbusJwtDecoder)

 

설정) Custom Access Token 검증

더보기
더보기 
spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          public-key-location: classpath:my-public-key.pub
  • 공개키만 등록하면 됨 (NimbusJwtDecoder)

 

저작자표시 (새창열림)

'Spring > Spring Security' 카테고리의 다른 글

[Spring Security] 8-2. OAuth 2.0 Resource Server: JWT  (3) 2025.07.30
[Spring Security] 8-3. OAuth2 Resource Server: 동작 방식  (0) 2025.07.30
[Spring Authorization Server] 2. Core Model / Components  (2) 2025.07.24
[JWT] 2-3. Practical Application: OAuth2 & OpenID  (0) 2025.07.22
[Spring Authorization Server] 1. Configuration Model  (0) 2025.07.20

'Spring/Spring Security'의 다른글

  • 현재글[Spring Security] 8-1. OAuth2 Resource Server

관련글

티스토리툴바