Spring Boot resource server validates token with HTTP POST instead of HTTP GET

Question

I have server with dependencies and config as it mentioned Minimal OAuth2 Boot Configuration:

• spring-security-oauth2
• spring-security-oauth2-autoconfigure

Security config is annotated with @EnableResourceServer.

Properties contains:

spring:
  security:
    oauth2:
      resource:
        token-info-uri: https://token-validation-url/example

When I execute request curl -H "Authorization: xyz" http://localhost:8080/my-endpoint, I get 401 but I don't see that HTTP call for token validation would be executed.

If I remove spring prefix from the property, I still get 401 but it tries HTTP POST to https://token-validation-url/example:

security:
  oauth2:
    resource:
      token-info-uri: https://token-validation-url/example

If I take the same token and try manually HTTP GET https://token-validation-url/example?otoken=xyz, it returns that it is valid.

How to specify otoken query param? Why server tries to validate token with HTTP POST instead HTTP GET?

Answer 1

Noticed that HTTP POST https://token-validation-url/example?otoken=xyz validates the same as GET so used:

security:
  oauth2:
    resource:
      token-info-uri: https://token-validation-url/example

Just needed to set token name:

@SpringBootApplication
public class ExampleApplication {

    public static void main(String[] args) {
        ConfigurableApplicationContext context = SpringApplication.run(ExampleApplication.class, args);
        RemoteTokenServices remoteTokenServices = context.getBean(RemoteTokenServices.class);
        remoteTokenServices.setTokenName("otoken");
    }
}

Other way to configure RemoteTokenServices: Configuring resource server with RemoteTokenServices in Spring Security Oauth2