OAuth2 is intimidating because the spec talks about roles and grant types before it tells you what problem each one solves. Here is the mental model I wish I had when I first wired it into Spring Security.
Four roles, one sentence each
The resource owner is the user. The client is your app. The authorization server issues tokens. The resource server holds the data and checks those tokens. Every grant type is just a different route for the client to get a token from the authorization server.
Where Spring fits
In a typical service you are building a resource server: it validates the bearer token on each request and maps its claims to authorities. Fine-grained authorization then becomes a method-level concern rather than a gateway concern.
@PreAuthorize("hasAuthority('SCOPE_documents:sign')")
public SignedDocument sign(DocumentRequest req) { ... }Once the vocabulary clicks, the configuration stops feeling like magic and starts reading like a policy you can reason about.