I am building web application using Spring. I have multiple Spring client applications and one OAuth2 Authorization and resource server. End user first authenticates within the client app and then client app requests some resource from the resource server (after obtaining access token from the authorization server), processes data and returns it to the user. User can also change data on the resource server, but only through client app. For obtaining resources only client credentials are used, resource owner is trusted client in this case.
On the resource server only client details and resources are stored, no information about the end user. Resource server doesn't care who requested resource, just that request came from the authorized client app.
Client app has CSRF protection but is there a need to enable CSRF protection on the authorization server? I can't think of any attack scenario because communication is server to server, client credentials are securely stored and user cannot directly access the resource.
If your authorization server is only accessible from application servers, I don't see what interest you could have by enabling CSRF protection on both. CSRF protection on servers accessible by end users should be enough. Besides, if your CSRF protection is broken on your application server and then your application communicates with your authorization server, I don't see how you could detect it in your authorization server since the request is done by your server.