ServerBearerTokenAuthenticationConverter validates the query parameter access_token when allowUriQueryParameter is false. The spec states that
Resource servers MAY support this method.
for query string parameters, but does not indicate in the Error Codes section that the access_token parameter MUST be validated if the server doesn't support that particular method for resolving the token.
Note: This also applies to DefaultBearerTokenResolver, and includes when allowFormEncodedBodyParameter is set to false.
Comment From: jonah1und1
I created a PR for this, please feel free to review it.