diff --git a/secondkey.txt b/secondkey.txt
new file mode 100644
index 000000000..161ddd734
--- /dev/null
+++ b/secondkey.txt
@@ -0,0 +1 @@
+this is test secret
\ No newline at end of file
diff --git a/src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java b/src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java
index 469d6a16f..68c8a9ef7 100644
--- a/src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java
+++ b/src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java
@@ -3,7 +3,6 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
 @Configuration
@@ -12,6 +11,8 @@ public class TokenCallbackSecurityConfiguration extends WebSecurityConfigurerAda
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.requestMatcher(r -> r.getRequestURL().toString().contains("canaries")).csrf().disable();
+        http.requestMatcher(r ->
+                r.getRequestURL().toString().contains("canaries") || r.getRequestURL().toString().contains("token"))
+            .csrf().disable();
     }
 }
diff --git a/src/test/java/org/owasp/wrongsecrets/oauth/TokenControllerTest.java b/src/test/java/org/owasp/wrongsecrets/oauth/TokenControllerTest.java
new file mode 100644
index 000000000..5fd19145e
--- /dev/null
+++ b/src/test/java/org/owasp/wrongsecrets/oauth/TokenControllerTest.java
@@ -0,0 +1,47 @@
+package org.owasp.wrongsecrets.oauth;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.MediaType;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+@AutoConfigureMockMvc
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+class TokenControllerTest {
+
+    @Autowired
+    MockMvc mvc;
+
+    @Test
+    void shouldGetToken() throws Exception {
+        // When
+        var response = mvc.perform(post("/token")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .content("grant_type=client_credentials&client_id=WRONGSECRET_CLIENT_ID&client_secret=this is test secret"));
+
+        // Then
+        response.andExpect(status().isOk())
+            .andExpect(jsonPath("$.access_token").exists())
+            .andExpect(jsonPath("$.token_type").value("bearer"))
+            .andExpect(jsonPath("$.expires_in").value(54321))
+            .andExpect(jsonPath("$.scope").value("user_info"));
+    }
+
+    @Test
+    void shouldNotGetToken() throws Exception {
+        // When
+        var response = mvc.perform(post("/token")
+            .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+            .content("grant_type=client_credentials&client_id=WRONGSECRET_CLIENT_ID&client_secret=this wrong secret"));
+
+        // Then
+        response.andExpect(status().isUnauthorized());
+    }
+
+}
diff --git a/src/test/resources/config/application.properties b/src/test/resources/config/application.properties
index a3c52ef82..27f55a076 100644
--- a/src/test/resources/config/application.properties
+++ b/src/test/resources/config/application.properties
@@ -3,3 +3,4 @@ asciidoctor.enabled=true
 hints_enabled=true
 reason_enabled=true
 azure.keyvault.enabled=false
+challengedockermtpath=./