Spring Security OAuth2 check_token endpoint

Just to clarify a couple of points and add additional information to the answer provided by Pratik Shah (and Alex in the relevant topic):

1- The mentioned configure method is overridden by creating a class that extends AuthorizationServerConfigurerAdapter :

  @EnableAuthorizationServer @Configuration public class AuthServerConfig extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer.tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()"); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("ger-client-id") .secret("ger-secret") .authorizedGrantTypes("password") .scopes("read", "write"); } } 

2- I suggest reading this Spring manual explaining the automatic configuration performed by Spring Boot when we include the @EnableAuthorizationServer annotation, including the AuthorizationServerConfigurer bean. If you create a configuration bean that extends the AuthorizationServerConfigurerAdapter , as I did above, all this automatic configuration is disabled.

3- If automatic configuration suits you, and you JUST WANT to manipulate access to the endpoint /oauth/check_token , you can still do this without creating an AuthorizationServerConfigurer bean (and therefore without having to configure everything programmatically).

You need to add the security.oauth2.authorization.check-token-access property to the application.properties file, for example:

 security.oauth2.client.client-id=ger-client-id security.oauth2.client.client-secret=ger-secret security.oauth2.client.scope=read,write security.oauth2.authorization.check-token-access=permitAll() 

Of course, you can set it to isAuthenticated() if you want.

You can set the DEBUG log level to make sure everything is configured properly:

 16:16:42.763 [main] DEBUG osswaeExpressionBasedFilterInvocationSecurityMetadataSource - Adding web access control expression 'permitAll()', for Ant [pattern='/oauth/check_token'] 

There is not much documentation about these properties, but they can be found out from this autoconfiguration class .

Another thing worth mentioning, although it seems to be fixed in recent versions of Spring, I just introduced a problem in the spring-security-oauth project ; it seems that the token_check function is enabled by default if you add a slash to the query:

 $ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58 {"scope":["read","write"],"active":true,"exp":1544940147,"authorities":["ROLE_USER"],"client_id":"ger-client-id"}