Example of allowing /z/ in the GET /oauth/token

fhanik · fhanik · commit 6c951c3cc742 · 2026-02-03T08:59:52.000-08:00
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/OauthEndpointSecurityConfiguration.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/OauthEndpointSecurityConfiguration.java
@@ -348,7 +348,7 @@ UaaFilterChain statelessTokenApiSecurity(HttpSecurity http) throws Exception {
     @Order(FilterChainOrder.OAUTH_05)
     UaaFilterChain tokenEndpointSecurity(HttpSecurity http) throws Exception {
         SecurityFilterChain chain = http
-                .securityMatcher("/oauth/token/**")
+                .securityMatcher("/oauth/token/**", "/z/*/oauth/token/**")
                 .authenticationManager(clientAuthenticationManager)
                 .authorizeHttpRequests( auth -> {
                     auth.requestMatchers("/**").access(anyOf().fullyAuthenticated());
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/UaaTokenEndpoint.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/UaaTokenEndpoint.java
@@ -31,7 +31,7 @@
 import static org.springframework.util.StringUtils.hasText;
 
 @Controller
-@RequestMapping(value = "/oauth/token") //used simply because TokenEndpoint wont match /oauth/token/alias/saml-entity-id
+@RequestMapping(path = {"/oauth/token", "/z/{subdomain}/oauth/token"}) //used simply because TokenEndpoint wont match /oauth/token/alias/saml-entity-id
 public class UaaTokenEndpoint extends TokenEndpoint {
 
     private final boolean allowQueryString;
