We are following the API quickstart at:
https://auth0.com/docs/quickstart/backend/java-spring-security
We have it working and can hit authorized end points.
In the class SecurityConfig which does the pattern matching and authorization
Question 1 .
Does this class communicate with the Auth0 servers to validate a token that comes in ? Or does it just parse the token and check the token’s format and expiry date ?
Question 2.
If this is just a token parser, what is stopping people spoofing the token, i.e. create a fake token with fake credentials and a new expiry date ?
Following the quickstart you linked you will use the JwtWebSecurityConfigurer class with the forRS256 method. This implies that the received access token will be validated by obtaining the public key of the certificate used to sign the token from the Auth0 service and then performing a signature verification step. The public key is cached so that it does not need to be obtained in every request.
In conclusion, to answer your questions, the token is validated so if you try to pass a token that was not signed by the certificate associated with your Auth0 account the verification will fail even if the token has a valid format or expiration.