Spring Oauth2 授权服务器允许 instropect 无需身份验证

在 Spring Oauth2 授权服务器中有一个内置的端点

/oauth2/introspect

来检查令牌，但它需要在显示响应之前进行身份验证。但要求是在没有身份验证的情况下检查令牌。如下面的代码所示，我试图允许所有内置端点

/oauth2/introspect**

允许所有但它仍在尝试进行身份验证。

maven 依赖

    <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-authorization-server</artifactId>
            <version>0.3.1</version>
        </dependency>

代码

  @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors()
                .configurationSource(request -> new CorsConfiguration()
                        .applyPermitDefaultValues());

        OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
                new OAuth2AuthorizationServerConfigurer<>();
        RequestMatcher endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();


        http.csrf().disable();
        http.requestMatcher(endpointsMatcher)
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests
                                .antMatchers("/oauth2/introspect**").permitAll()
                                .anyRequest().authenticated())
                .csrf(csrf -> csrf.ignoringAntMatchers("/oauth2/token**","/oauth2/introspect**"))
                .apply(authorizationServerConfigurer);
        

        return http.build();
    }


    @Bean
    public RegisteredClientRepository registeredClientRepository() {
        RegisteredClient registeredClient = RegisteredClient
                .withId(UUID.randomUUID().toString())
                .clientId("client")
                .clientSecret("{noop}secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                .clientSettings(ClientSettings.builder()
                        .tokenEndpointAuthenticationSigningAlgorithm(SignatureAlgorithm.RS256)
                        .build())
                .tokenSettings(TokenSettings.builder()
                        .accessTokenFormat(OAuth2TokenFormat.REFERENCE)
                        .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
                        .accessTokenTimeToLive(Duration.ofMinutes(15))
                        .build())
                .scope("read")
                .build();
        return new InMemoryRegisteredClientRepository(registeredClient);
    }