Validating the Resource Server audience
Although a bearer access token can be used by anyone to access OAuth 2.0 protected resources, you can reduce the scope of access token usage just for specified resources; that's to set up the audience for an access token. If an access token has the audience for Resource Server A, it cannot be used to access resources protected by Resource Server B. This chapter will cover this important feature, so that you can use it when you have an Authorization Server serving multiple Resource Servers.
Getting ready
To run this recipe, you will need Java 8, Maven, Spring Web, and Spring Security. Because of the architecture of this solution, this recipe requires that you create three applications: one for the Authorization Server and two for the Resource Servers. The Authorization Server was created with the name authorization-server and the resources servers were created as resource-server-a and resource-server-b. The source code for these projects are all available...
