8.5 Summary

• OAuth 2 security is a common way to secure APIs that is more robust than simple HTTP Basic authentication.
• An authorization server issues access tokens for a client to act on behalf of a user when making requests to an API (or on its own behalf in the case of client token flow).
• A resource server sits in front of an API to verify that valid, nonexpired tokens are presented with the scope necessary to access API resources.
• Spring Authorization Server is an experimental project that implements an OAuth 2 authorization server.
• Spring Security provides support for creating a resource server, as well as creating clients that obtain access tokens from the authorization server and pass those tokens when making requests through the resource server.