I am trying to use Spring OAuth2 resource server and Spring OAuth2 Authorization server with opaque/reference tokens.
In order to verify the token, the resource server must call the authorization server's introspection api to get the token payload.
The introspection API requires valid credentials corresponding to a RegisteredClient in the authorization server's RegisteredClientRepository. The client simply needs to exist - it doesn't need any scopes / authorizationGrantTypes.
My question is this: what is the recommended way to get these credentials? Should I create a special RegisteredClient for the resource server to use?
My current approach is to create a default user with credentials that the resource server knows
RegisteredClient defaultUser = RegisteredClient.withId(DEFAULT_USER_ID)
.clientId(DEFAULT_USER_ID)
.clientSecret("***")
// an authorizationGrantType is required by the builder
.authorizationGrantType(new AuthorizationGrantType("none"))
.build();
registeredClientRepository.save(defaultUser);
Is this the recommended approach?