Spring Security SessionMigration Vs ChangeSessionId strategy for oauth/token endpoint

Describe the bug We have a spring security configuration that explicitly calls out to apply the migrateSession() strategy but for some reason spring by default uses changeSessionId() strategy on the oauth/token endpoint. Is there a way to force spring to use the migrateSession() strategy on the oauth/token endpoint/all endpoints in general?

@Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
                .headers()
                .frameOptions().sameOrigin()
                .and()
            .authorizeRequests()
                // The OAuth Authorization Endpoint (/oauth/authorize) must be secured using spring-security.
                .antMatchers(SLASH_OAUTH_SLASH_AUTHORIZE)
                .authenticated()
                .antMatchers(PATH_LOGOUT_PROCESSING)
                .authenticated()
                .antMatchers("/login/callback")
                .authenticated()
                .and()
            .logout()
                .logoutUrl(PATH_LOGOUT_PROCESSING)
                .logoutSuccessUrl(SLASH)
                .addLogoutHandler(new SecurityContextLogoutHandler())
                .logoutSuccessHandler(logoutSuccessHandler)
                .deleteCookies(JSESSIONID_COOKIE_NAME)
                .and()
            .formLogin()
                .loginProcessingUrl(PATH_LOGIN_PROCESSING)
                .loginPage(PATH_LOGIN_PAGE).permitAll()
            .and()
            .exceptionHandling()
                .accessDeniedPage(PATH_LOGIN_PAGE + "?authorization_error=true")
                .and()
            // By default, Spring Security will create a session when it needs one – this is “ifRequired“.
            .sessionManagement()
                .sessionFixation()
                .migrateSession()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .invalidSessionUrl(PATH_LOGIN_PAGE)
                .enableSessionUrlRewriting(false)
                //Override the max concurrent sessions with this property. Defaults to -1 (unlimited logins)
                .maximumSessions(1)
                .sessionRegistry(sessionRegistry)
                //Throw an error if the max allowed sessions per user is exceeded
                .maxSessionsPreventsLogin(true);
    }

@Bean
    public SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(sessionRegistry());
    }

To Reproduce Apply migrateSession() through spring security and request an access token using implicit or authorization code

Expected behavior Spring should explicitly apply the migrateSession() strategy instead of the default changeSessionId() strategy.

Comment From: jzheaux

Thanks for getting in touch, @jcd006!

It feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

Feel free to update this issue with a link to the re-posted question (so that other people can find it) or share a minimal sample application that reproduces the issue if you feel this is a genuine bug.