The OAuth 2 spec states that
So within the Spring OAuth lib is this performed by the TokenServicesUserApprovalHandler? What is the default behavior if I don't supply my own?
The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.