I have an auth-server + resource server in one app. I’ve spent a lot of time searching and debugging, but there aren’t many updated pages or topics about Spring Boot 3.+ related to this. So, I had this working and wanted to add a custom secret that will be shared between my client and server. And here is where the problems started…

I’m working with a Spring OAuth2 Authorization Server to secure my application’s endpoints. My goal is to restrict OAuth2 related endpoints (e.g., /oauth2/authorize, /oauth2/token) to users with the OAUTH2 authority, while allowing application endpoints accessible to users with the USER authority.