Spring-boot oauth2 splitting authorization server and resource server

Question

Im trying to split the resource server from the authorization server in spring-boot. I have two different applications that i'm running separately. In the authorization server i can get the bearer token from oauth/token but when i'm trying to get access to the resource(sending the token in header) i'm getting an invalid token error. My intention is to use the InMemoryTokenStore and the bearer token. Can anyone tell me what is wrong in my code?

Authorization Server:

@SpringBootApplication
public class AuthorizationServer extends WebMvcConfigurerAdapter {

  public static void main(String[] args) {
    SpringApplication.run(AuthorizationServer.class, args);
  }

  @Configuration
  @EnableAuthorizationServer
  protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

  private TokenStore tokenStore = new InMemoryTokenStore();

  @Autowired
  private AuthenticationManager authenticationManager;

  @Override
  public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
      endpoints
        .authenticationManager(authenticationManager)
        .tokenStore(tokenStore);
  }

  @Override
  public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
      security.checkTokenAccess("hasAuthority('ROLE_USER')");
  }

  @Override
  public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
      clients
          .inMemory()
            .withClient("user")
            .secret("password")
            .authorities("ROLE_USER")
            .authorizedGrantTypes("password")
            .scopes("read", "write")
            .accessTokenValiditySeconds(1800);
  }  
}

Resource Server:

@SpringBootApplication 
@RestController
@EnableOAuth2Resource
@EnableWebSecurity
@Configuration
public class ResourceServer extends WebSecurityConfigurerAdapter {



public static void main(String[] args){
     SpringApplication.run(ResourceServer.class, args);
}

@RequestMapping("/")
public String home(){
    return "Hello Resource World!";
}

@Bean
public ResourceServerTokenServices tokenService() {
    RemoteTokenServices tokenServices = new RemoteTokenServices();
    tokenServices.setClientId("user");
    tokenServices.setClientSecret("password");
    tokenServices.setTokenName("tokenName");
    tokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
    return tokenServices;
}

@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
    OAuth2AuthenticationManager authenticationManager = new OAuth2AuthenticationManager();
    authenticationManager.setTokenServices(tokenService());
    return authenticationManager;
}

@Configuration
@EnableResourceServer
protected static class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http
            .requestMatchers()
            .antMatchers("/","/home")
            .and()
            .authorizeRequests()
            .anyRequest().access("#oauth2.hasScope('read')");
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        TokenStore tokenStore = new InMemoryTokenStore();
        resources.resourceId("Resource Server");
        resources.tokenStore(tokenStore);
    }
}

Answer 1

You have created 2 instances of InMemoryTokenStore. If you want to share tokens between the auth server and resource server they need the same store.