The OAuth2 server is the core piece of the complete OAuth2-based solution. Typically it contains 2 services for:
Authorizing request tokens by asking the end users to let clients access some of their resources and returning the grants back to the client (Authorization Service)
Exchanging the token grants for access tokens (Access Token Service)
CXF offers several JAX-RS service implementations that can be used to create the OAuth2 servers fast: AuthorizationCodeGrantService and ImplicitGrantService for managing the redirection-based flows, as well as AccessTokenService for exchanging the grants for new tokens. Note that some grants that do not require the redirection-based support, such as SAML2 one, etc, may only require an Access Token Service be operational.
All of these services rely on the custom OAuthDataProvider which persists the access tokens and converts the opaque scope values to the information that can be presented to the users. Additionally, AuthorizationCodeDataProvider is an OAuthDataProvider which can keep temporary information about the authorization code grants which needs to be removed after the tokens are requested in exchange.
Writing your own OAuthDataProvider implementation is what is needed to get the OAuth2 server up and running. In many cases all you need to do is to persist or remove the Authorization Code Grant data, use one of the available utility classes to create a new access token and also persist it or remove the expired one, and finally convert the optional opaque scope values (if any are supported) to a more view-able information.