Reactive OAuth2 Resource Server: Correct way to bypass authentication for a path

[segaura]

In non-reactive spring-security I am able to bypass authorization and authentication using "ignoring()" in a WebSecurityCustomizer

https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/WebSecurityCustomizer.html

,which is amazing, however I am not able to exploit this behaviour along a "spring-security-powered-oauth2-reactive-resource-server" because the @EnableWebFluxSecurity does not allow using WebSecurityCustomizer.

I thought the correct way to do this is using .permitAll() in my SecurityWebFilterChain bean, for instance adding before row 43 in the example something like

.pathMatchers(HttpMethod.GET, "/free-path/**").permitAll()

this works, meaning I can GET any /free-path/something without providing any JWT, but have the problematic behaviour that, if I provide a JWT, this token is evaluated and if it's not valid, e.g. expired, I get a 401 response.

Which is the correct way to add a "free" path?
Can you kindly consider adding a "free" resource to the reactive sample project to make things clearer?

EDIT: actually I am able to mimic ingnoring() approach using this SO suggestion

.securityMatcher(new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers("/free-path/**")))

but I am not sure this is the preferred solution and I know from the documentation that ignoring() is more for static content than for dynamic one