Spring Authorization server - limit a client to a specific resource server

Question

I have two RegisteredClients(and two resource servers):

@Bean
public RegisteredClientRepository registeredClientRepository() {
    RegisteredClient spa1 = RegisteredClient.withId(UUID.randomUUID().toString())
        .clientId("client1")
        ...
        .redirectUri("http://127.0.0.1:3000/authorized")
        ...
        .build();
    
    RegisteredClient spa2 = RegisteredClient.withId(UUID.randomUUID().toString())
        .clientId("client2")
        ...
        .redirectUri("http://127.0.0.1:3001/authorized")
        ...
        .build();

    return new InMemoryRegisteredClientRepository(spa1, spa2);
}

When I obtain access_token as client1, I can access endpoints in both resource servers. I need client1 to be able to access only resourceServer1, and client2 to access resourceServer2.

I went through the docs and source code, but I cannot find a way to configure the client to be able to access only certain resource. I think this was possible in spring security by doing:

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    ClientDetailsServiceBuilder.ClientBuilder clientBuilder = clients
        .inMemory()
        .withClient("client1")
        .resourceIds("resourceServer1")
        ...

Is it doable?

Answer 1

This is usually done by means of the aud claim in the access token.

The client will send the intended audience to the authorization server when it requests an access token, and each resource server must make sure to validate that the aud claim in the access token contains the resource server's ID.

If you use Spring Boot's Resource Server starter I think you can configure the audience ID with the spring.security.oauth2.resourceserver.jwt.audiences property (read more about it here.)

Otherwise, you'll have to look into configuring your own JwtDecoder with its own JwtValidator (which is what validates the JWT claims.)