Spring Security HttpSecurity.oauth2AuthorizationServer should not automatically set HttpSecurity.securityMatcher

when invoking HttpSecurity.oauth2AuthorizationServer it sets the HttpSecurity.securityRequestMatchers which makes it difficult to create an authorization server with a single SecurityFilterChain instance. It also leads to confusing behavior.

For example, the following looks like every request will be authenticated, but the configuration only going to impact requests that match the OAuth2 Authorization Server Endpoints:

http
    .httpBasic(Customizer.withDefaults())
    .authorizeHttpRequests(requests -> requests
        .anyRequest().authenticated()
    )
    .oauth2AuthorizationServer(authz -> authz
        .oidc(Customizer.withDefaults())
    );
    return http.build();

This is because the HttpSecurity.securityMatcher is set to endpointsMatcher.

It might seem like this could be overridden using:

http
    // .....
    .securityMatcher(AnyRequestMatcher.INSTANCE);

However, this doesn't work because oauth2AuthorizationServers invocation of securityMatcher is delayed and overrides the setting of it.

This should be updated to support a single SecurityFilterChain out of the box. Related https://github.com/spring-projects/spring-authorization-server/issues/1707