How to Use Client Credentials Flow with Spring Security

bdemers · September 6, 2022, 3:10pm

@amardeep2006
JWT access tokens are a source of common confusion.
Access tokens can be validated remotely (per spec), this requires a client-id and client-secret. Some IdPs also allow for locally validating structured tokens (e.g. an access token that is a JWT).

There are pros & cons to both: JWT vs Opaque Access Tokens: Use Both With Spring Boot | Okta Developer

Back to your question!
For JWT access tokens, you have a few options:

Different authorization servers for each app, (if your applications do not need to share tokens)
you could use the same authorization server with different scopes (your application would need to check if those scopes are present in the JWT)

amardeep2006 · September 6, 2022, 3:38pm

Thanks @bdemers for quick response as always. I do not wish to share token with other apps so I will explore custom auth server approach.
Have a nice day !!

alexflorez4 · March 13, 2023, 3:42pm

@bdemers, there are clients that only accept token request body as JSON data. How can this be achieved using the reactive approach? any ideas? Thank you