Merge branch 'ag-fix-secondary-login' into 'master'

Fix secondary login in maintenance mode

See merge request gitlab-org/gitlab!51494

ee/lib/ee/gitlab/middleware/read_only/controller.rb

@@ -25,7 +25,8 @@ module EE
           }.freeze
 
           ALLOWLISTED_SIGN_IN_ROUTES = {
-            'sessions' => %w{create}
+            'sessions' => %w{create},
+            'oauth/tokens' => %w{create}
           }.freeze
 
           private
@@ -90,7 +91,7 @@ module EE
           end
 
           def sign_in_route?
-            return unless request.post? && request.path.start_with?('/users/sign_in')
+            return unless request.post? && request.path.start_with?('/users/sign_in', '/oauth/token')
 
             ALLOWLISTED_SIGN_IN_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
           end

ee/spec/support/shared_examples/lib/gitlab/middleware/maintenance_mode_gitlab_ee_instance_shared_examples.rb

@@ -93,11 +93,18 @@ RSpec.shared_examples 'write access for a read-only GitLab (EE) instance in main
         end
       end
 
-      it "expects a POST to /users/sign_in URL to be allowed" do
-        response = request.post('/users/sign_in')
+      where(:description, :path) do
+        'sign in route'     | '/users/sign_in'
+        'oauth token route' | '/oauth/token'
+      end
+
+      with_them do
+        it "expects a POST to #{description} URL to be allowed" do
+          response = request.post(path)
 
-        expect(response).not_to be_redirect
-        expect(subject).not_to disallow_request
+          expect(response).not_to be_redirect
+          expect(subject).not_to disallow_request
+        end
       end
     end
   end