Polish BearerTokenResolver Docs

Issue gh-6254

Author: jzheaux

docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/access-token.adoc

@@ -33,46 +33,3 @@ SecurityWebFilterChain configure(ServerHttpSecurity http) throws Exception {
 ----
 
 You can now leverage Spring Security's <<webclient>> or <<webflux-roac,@RegisteredOAuth2AuthorizedClient>> support to obtain and use the access token.
-
-== BearerTokenResolver
-
-With interface BearerTokenResolver you can provide a strategy to resolve a bearer token.
-
-The interface provides the next method:
-
-[source,java]
-----
-/**
-* Resolve any <a href="https://tools.ietf.org/html/rfc6750#section-1.2" target="_blank">Bearer Token</a>
-* value from the request.
-*
-* @param request the request
-* @return the Bearer Token value or {@code null} if none found
-* @throws OAuth2AuthenticationException if the found token is invalid
-*/
-String resolve(HttpServletRequest request);
-----
-
-In code base, you can find two implementation of this interface:
-HeaderBearerTokenResolver and DefaultBearerTokenResolver (based on RFC 6750).
-
-Below you can see HeaderBearerTokenResolver, it takes a bearer token from request by header
-which was passed in constructor
-
-[source,java]
-----
-public class HeaderBearerTokenResolver implements BearerTokenResolver {
-
-	private String header;
-
-	public HeaderBearerTokenResolver(String header) {
-		Assert.hasText(header, "header cannot be empty");
-		this.header = header;
-	}
-
-	@Override
-	public String resolve(HttpServletRequest request) {
-		return request.getHeader(this.header);
-	}
-}
-----

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc

@@ -1151,6 +1151,37 @@ OpaqueTokenIntrospector introspector() {
 Thus far we have only taken a look at the most basic authentication configuration.
 Let's take a look at a few slightly more advanced options for configuring authentication.
 
+[[oauth2resourceserver-bearertoken-resolver]]
+=== Bearer Token Resolution
+
+By default, Resource Server looks for a bearer token in the `Authorization` header.
+This, however, can be customized in a couple of ways.
+
+==== Reading the Bearer Token from a Custom Header
+
+For example, you may have a need to read the bearer token from a custom header.
+To achieve this, you can wire a `HeaderBearerTokenResolver` instance into the DSL, as you can see in the following example:
+
+[source,java]
+----
+http
+    .oauth2ResourceServer()
+        .bearerTokenResolver(new HeaderBearerTokenResolver("x-goog-iap-jwt-assertion"));
+----
+
+==== Reading the Bearer Token from a Form Parameter
+
+Or, you may wish to read the token from a form parameter, which you can do by configuring the `DefaultBearerTokenResolver`, as you can see below:
+
+[source,java]
+----
+DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
+resolver.setAllowFormEncodedBodyParameter(true);
+http
+    .oauth2ResourceServer()
+        .bearerTokenResolver(resolver);
+----
+
 === Bearer Token Propagation
 
 Now that you're in possession of a bearer token, it might be handy to pass that to downstream services.