Java 在Oauth2中使用resourceId的意义是什么？它在令牌生成过程中是否扮演任何角色？_Java_Spring_Spring Boot_Spring Security_Spring Security Oauth2

Java 在Oauth2中使用resourceId的意义是什么？它在令牌生成过程中是否扮演任何角色？

java spring spring-boot spring-security

Java 在Oauth2中使用resourceId的意义是什么？它在令牌生成过程中是否扮演任何角色？,java,spring,spring-boot,spring-security,spring-security-oauth2,Java,Spring,Spring Boot,Spring Security,Spring Security Oauth2,我在oauth2中使用密码授权流。最初，我用resourceId“api”注册了客户端并生成了令牌。现在使用该令牌，我可以访问任何资源。我再次注册了一个没有resourceId的新客户端，并生成了令牌。使用此令牌，我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源？或为特定资源生成的令牌只能访问该特定资源。如果是，我做错了什么 //This is authorization server @EnableAuthorizationServer @Configuration publ

我在oauth2中使用密码授权流。最初，我用resourceId“api”注册了客户端并生成了令牌。现在使用该令牌，我可以访问任何资源。我再次注册了一个没有resourceId的新客户端，并生成了令牌。使用此令牌，我再次被允许访问任何资源。那么这是否意味着一个令牌可以访问任何资源？或为特定资源生成的令牌只能访问该特定资源。如果是，我做错了什么

//This is authorization server
@EnableAuthorizationServer
@Configuration
public class OauthConfiguration extends AuthorizationServerConfigurerAdapter {
private final UserDetailsService userService;
private final AuthenticationManager authenticationManager;
@Value("${oauth2.clientId:mobile-app}")
private String clientId;
@Value("${oauth2.clientSecret:mobile123}")
private String clientSecret;
@Value("${oauth2.accessTokenValiditySeconds:43200}") //12 hrs
private int accessTokenValiditySeconds;
@Value("${oauth2.refreshTokenValiditySeconds:2592000}") //30days
private int refreshTokenValiditySeconds;
@Value("${oauth2.authorizedGrantTypes:password,authorization_code,refresh_token}")
private String[] authorizedGrantTypes;

@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;
public OauthConfiguration(UserDetailsService userService, AuthenticationManager authenticationManager) {
    this.userService = userService;
    this.authenticationManager = authenticationManager;
}

@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
    security.checkTokenAccess("isAuthenticated()");
}

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients.inMemory()
            .withClient(clientId)
            .secret(bCryptPasswordEncoder.encode(clientSecret))
            .accessTokenValiditySeconds(accessTokenValiditySeconds)
            .refreshTokenValiditySeconds(refreshTokenValiditySeconds)
            .authorizedGrantTypes(authorizedGrantTypes)
            .scopes("read", "write")
            .resourceIds("api");
}

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
    endpoints.accessTokenConverter(accessTokenConverter())
            .userDetailsService(userService)
            .authenticationManager(authenticationManager);
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter tokenConverter = new JwtAccessTokenConverter();
    return tokenConverter;
}

}

**And this is resource server**

@EnableResourceServer
@Configuration
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("api");
}

@Override
public void configure(HttpSecurity http) throws Exception {
   http
           .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
           .and()
           .antMatcher("/api/**")
           .authorizeRequests()
           .antMatchers("/api/**").authenticated()
           .antMatchers("/api/signin/**").permitAll()
           .anyRequest().authenticated();
}
}