In Spring Security 5.2.0.M2, users can configure the OAuth 2.0 Resource Server to validate opaque tokens through Introspection:

http .oauth2ResourceServer() .opaqueToken();

It would be nice if this could be property-driven, e.g.:

spring: security: oauth2: resourceserver: opaque-token: introspection-uri: https://endpoint client-id: client_id client-secret: client_secret

Then, Spring Boot could register an instance of OAuth2TokenIntrospectionClient:

@Bean public OAuth2TokenIntrospectionClient introspectionClient() { return new NimbusOAuth2TokenIntrospectionClient(uri, clientId, clientSecret); }

Note that this configuration is only valid if OAuth2IntrospectionAuthenticationToken is on the classpath.