//You should check WebSecurityConfigurerAdapter method like this:
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/webjars/**", "/oauth/**");
}
//remove "/oauth/**" path. otherwise
//.postAccessToken(Principal principal, @RequestParam Map<String, String> parameters)
//principal will be null.