https://devops-monk.com/tags/oauth2/Recent content in Oauth2 on Devops MonkHugoen-usSun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-resource-server/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/tutorials/spring-boot/spring-security-oauth2-resource-server/In production, you rarely build your own auth server. You use an external provider — Keycloak, Auth0, Okta, or AWS Cognito. This article shows how to configure Spring Boot as a Resource Server that validates JWTs issued by any OIDC-compliant provider. The OAuth2 Architecture ┌─────────────────┐ │ Auth Server │ │ (Keycloak/Auth0) │ │ │ │ Issues JWTs │ │ Publishes JWKS │ └────────┬────────┘ │ ┌────────────┐ │ JWT │ Client │──────────►│ │ (Browser/ │ │ │ Mobile) │ │ └────────────┘ ▼ ┌─────────────────┐ Bearer │ Resource Server │ Token ►│ (Spring Boot) │ │ │ │ Validates JWT │ │ via JWKS URI │ └─────────────────┘ Client authenticates with the Auth Server and receives a JWT Client sends the JWT as Authorization: Bearer <token> to the Resource Server Resource Server validates the JWT by fetching the public key from the Auth Server’s JWKS endpoint If valid, the Resource Server processes the request Setup <dependency> <groupId>org.https://devops-monk.com/2026/05/spring-boot-oauth2-jwt-security/Sun, 03 May 2026 00:00:00 +0000https://devops-monk.com/2026/05/spring-boot-oauth2-jwt-security/Zero-trust API security means every request is validated independently — no session state, no “trusted network” assumptions. A JWT bearer token is issued by an authorisation server, signed cryptographically, and validated on every API call. The API never calls back to the authorisation server during validation; it verifies the token’s signature locally. This guide covers the complete setup: dependencies, resource server configuration, token validation (both symmetric and asymmetric), extracting claims, role-based access control, method-level security, and the Spring Security 7 changes that break existing setups.