dsyer
commented
9 years ago Access decisions probably ought to be based on scope so I would recommend not relying on the client authorities in a Resource Server. However if you want to add the authorities, please go ahead and propose a change (you would need to optionally inject the ClientDetailsService into the DefaultAccessTokenConverter - the client_id is there but not the client actually as things stand).
I am using RemoteTokenService. In checkTokenEndpoint I am getting authorities form the OAuth2 server but at resource serve I can not use any authorization check based on authority or role (i.e. hasRole('ROLE_CLIENT')).
I've found that in DefaultAccessTokenConverter authority of user or client was there. but at resource server side you are setting null as authority.