Look here:
https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java

The default setting is private String checkTokenAccess = "denyAll()";

So maybe try in AuthorizationServerConfiguration

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
   oauthServer.checkTokenAccess("isAuthenticated()");    
}

and authenticate yourself, or "permitAll()" if you wish and let anybody use it

@mariubog I tried what you suggested. It did not work either. possible I am doing my curl wrong

curl -X POST -H "Authorization: BEARER d69b97b6-4051-4c13-b781-d4e777435397" -H "Cache-Control: no-cache" -H "Postman-Token: ca8f304d-06d0-daaa-72eb-df224c3993e1" 'http://localhost:9001/oauth/check_token?token=d69b97b6-4051-4c13-b781-d4e777435397'

NOTE: I used BEARER with same token I got back from http://localhost:9001/oauth/token.

I get the following errror which is different than one above

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}.

I used

@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception
{
   oauthServer.checkTokenAccess("isAuthenticated()");    
}

any help here is much appreciated

If all permitted ("permitAll()") :
curl -X POST http://localhost:8080/oauth/check_token -d "token=40ec1ebd-a6a6-4b1c-a506-a9dcf291a056"
Notice that it returns some sensitive data so preferably use below.

If authentication required ("isAuthenticated()") :
curl -X POST http://localhost:8080/oauth/check_token -vu clientapp:123456 -d "token=12702db1-723b-4d65-92b9-ede3bae05ac7"

About -vu clientapp:123456
-v makes it verbose
-u allows you to provide authentication data username and password and this time you authenticate against Oauth server not web security of the application, so you provide client and secret. I think it is worth mentioning.

It works assuming that you use Roy's example.Obviously you replace above token strings with your tokens.

Good luck.

@mariubog
Thanks. this helped a lot.
Upon

curl -X POST -k -vu clientapp:123456 http://localhost:9001/oauth/token -H "Accept: application/json" -d "password=spring&username=roy&grant_type=password&scope=read%20write&client_secret=123456&client_id=clientapp"

I get

{"access_token":"e9e41273-a36c-4178-a450-0fb2699d3ec9","token_type":"bearer","refresh_token":"bf0f4260-7e80-43af-9706-cdc864bf4c6c","expires_in":43199,"scope":"read write"}

upon this

curl -X POST http://localhost:9001/oauth/check_token -d "token=e9e41273-a36c-4178-a450-0fb2699d3ec9"

I get

{"aud":["restservice"],"exp":1437578526,"user_name":"roy","authorities":["ROLE_USER","ROLE_ADMIN"],"client_id":"clientapp","scope":["read","write"]}

why is expires_in in the first call above and exp in the second call different. (I assume they are expiration times for tokens.) what units (seconds?) are expressed?

Also how to exchange refresh token for access token expiry to get new access token?

Thank you very much for help

I've used

oauthServer.checkTokenAccess("isAuthenticated()"); 

and it's working, but I agree with sridhar1982 on what he is asking:
why is expires_in and exp are different?

expires_in is expressed in seconds, I've changed the ClientDetailsServiceConfigurer access Token Validity to 60 sec..

.accessTokenValiditySeconds(60);

but still getting exp as a static number

@yalmuhaidib: how did you change the access Token validity to 60 sec. can you give the code snippet here. Also any idea on how to change the validity time for refresh token ?

@sridhar1982,
just override the configure for ClientDetailsServiceConfigurer

AuthorizationServerConfiguration extends
            AuthorizationServerConfigurerAdapter {

        @Override
        public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
            // @formatter:off
            clients
                .inMemory()
                    .withClient("clientapp")
                        .authorizedGrantTypes("password", "refresh_token")
                        .authorities("USER")
                        .scopes("read", "write")
                        .resourceIds(RESOURCE_ID)
                        .secret("123456")
                        .accessTokenValiditySeconds(60);
            // @formatter:on
        }

I've checked sping code, the /check_token endpoint mapping, and it's using DefaultAccessTokenConverter.convertAccessToken method to return the response, this method is not calculating the difference in seconds

public Map<String, ?> convertAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
        Map<String, Object> response = new HashMap<String, Object>();
        /*omitted irrelevant lines */

        if (token.getExpiration() != null) {
            response.put(EXP, token.getExpiration().getTime() / 1000);
        }

           /*omitted irrelevant lines */

        return response;
    }

while in /oath/token endpoint it's using jackson serializer OAuth2AccessTokenJackson2Serializerand it's subtracting the date and converting it to seconds:

if (expiration != null) {
            long now = System.currentTimeMillis();
            jgen.writeNumberField(OAuth2AccessToken.EXPIRES_IN, (expiration.getTime() - now) / 1000);
        }

any input on how to set expiry for refresh token and how to exchange refresh token for a new access token once an access token is expired?

and what is the practical difference between using oauthServer.checkTokenAccess("isAuthenticated()") and oauthServer.checkTokenAccess("permitAll()");

@sridhar1982, the refresh token does not have expiry, it's used to acquire a new access token..
"The refresh token which can be used to obtain new access tokens using the same authorization grant"
from Spring docs OAuth2AccessToken

now how to use it, check the README in this projects (search for refresh_token)

isAuthenticated and permitAll is Spring Security EL for expression support

"permitAll Always evaluates to true" so any request on /check_token will be permitted even anonymous
"isAuthenticated() Returns true if the user is not anonymous" so /check_token is allowed if the user is authenticated with the server (you will see that the user has a session JSESSIONID)

I'm closing this issue as it's solved..

thanks for all :)