Secure Client to Server Communication with Spring Boot

Hi, i have a use case where:

  • Spring Boot based Application ‘A’ is responsible for authenticating the user and storing appropriate “user access token” as a HTTP Cookie for domain “”. For example, Context path of the application is:
  • Spring Boot based Application ‘B’ exposes RestFul services under the same domain “” that expects “User Access Token” in header as part of incoming request. For example, Context path of the application is:

How can i validate the OKTA issued “User Access Token” using Spring Boot for accessing RestFul services provided by Application ‘B’ ?

P.S. I am looking something similar to, only that, instead of validating the client token, i want to validate the user access token

You could try the /introspect endpoint to validated the token

Thanks, i was able to get it working using /introspect endpoint couple of days back. I have another issue now.

How can i use two Resource Servers and secure endpoints. For example: I have a combination of clientIdA, secretA and resourceserverA. I want to use this combination to secure my API’s.

I have another combination of clientIdB, secretB and resourceserverB. I want to use this combination to secure my swagger and actuators etc.

Please can you suggest the resource server configuration and security configuration.


Could you post more information about the issue? I’m not sure why the server configuration is an issue.

Hi, please see below my current configuration. I want to secure swagger using different client,secret and auth server (I don’t want to rely on scopes or role) compared to my other user facing REST API’s.

OAUTH2 Server

@SpringBootApplication(exclude = { 
@ComponentScan(basePackages = {"org.test.profile"})
@EnableAutoConfiguration(exclude = { 
public class ProfileApplication extends SpringBootServletInitializer {

	public static void main(String[] args) {, args);
	protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
		return application.sources(ProfileApplication.class);

     * Allows for @PreAuthorize annotation processing.
    @EnableGlobalMethodSecurity(prePostEnabled = true)
    protected static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
        protected MethodSecurityExpressionHandler createExpressionHandler() {
            return new OAuth2MethodSecurityExpressionHandler();

class SecurityConfig extends WebSecurityConfigurerAdapter {

  protected void configure(final HttpSecurity http) throws Exception {

    // csrf check disabled

    // Options call is not allowed
      .antMatchers(HttpMethod.OPTIONS, "/**").denyAll()
//      .antMatchers("/v2/api-docs",
//          "/configuration/ui",
//          "/swagger-resources/**",
//          "/configuration/security",
//          "/swagger-ui.html",
//          "/webjars/**").permitAll()


public class SwaggerConfig {
    public Docket api() { 
        return new Docket(DocumentationType.SWAGGER_2)  
    private ApiInfo apiEndPointsInfo() {
        return new ApiInfoBuilder().title("PROFILE APP REST API")
            .description("PROFILE APP REST API")
            .contact(new Contact("VM", "", ""))
            .license("Apache 2.0")
     * SwaggerUI information
    UiConfiguration uiConfig() {
        return UiConfigurationBuilder.builder()

How to use /introspect without client_secret in spring boot application
Please help
Thank you