From 681e166be83eb42e372f7d7ae56465088fb1b9e8 Mon Sep 17 00:00:00 2001
From: Joe Grandja <10884212+jgrandja@users.noreply.github.com>
Date: Wed, 1 Oct 2025 11:45:09 -0400
Subject: [PATCH] Remove default HttpSecurity.securityMatcher() for
 authorization server

Closes gh-17965
---
 .../authorization/OAuth2AuthorizationServerConfigurer.java | 2 --
 .../oauth2/authorization-server/getting-started.adoc       | 7 ++++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
index e39ff4a86f..8afee07b66 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.java
@@ -396,8 +396,6 @@ public final class OAuth2AuthorizationServerConfigurer
 					new OrRequestMatcher(preferredMatchers));
 		}
 
-		httpSecurity.securityMatchers((securityMatchers) -> securityMatchers.requestMatchers(this.endpointsMatcher));
-
 		httpSecurity.csrf((csrf) -> csrf.ignoringRequestMatchers(this.endpointsMatcher));
 
 		if (getConfigurer(OAuth2ClientRegistrationEndpointConfigurer.class) != null) {
diff --git a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc
index d0f22cef75..dacff440a3 100644
--- a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/getting-started.adoc
@@ -132,10 +132,11 @@ public class SecurityConfig {
 
 		// @formatter:off
 		http
-			.oauth2AuthorizationServer((authorizationServer) ->
+			.oauth2AuthorizationServer((authorizationServer) -> {
+				http.securityMatcher(authorizationServer.getEndpointsMatcher());
 				authorizationServer
-					.oidc(Customizer.withDefaults())	// Enable OpenID Connect 1.0
-			)
+					.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
+			})
 			.authorizeHttpRequests((authorize) ->
 				authorize
 					.anyRequest().authenticated()