Spring Security Configurable authentication converter for resource-servers with token introspection

Expected Behavior

Something like the JwtAuthenticationConverter but for token instrospection.

My first thougt is, inside OpaqueTokenAuthenticationProvider, delegateAbstractAuthenticationToken convert(OAuth2AuthenticatedPrincipal principal, String token) to a configurable bean.

As we already have the possibility to configure the introspector, an other option would be bypassing the call to convert when introspector return value implements both AuthenticatedPrincipal and Authentication. This option has minimal impact on code base, but is probably less flexible (and clean) than preceding one.

Current Behavior

We have no hand on the type of Authentication returned by OpaqueTokenAuthenticationProvider (at least, none I could find)

Context

I'm writing a spring-boot resource-server with token introspection and would like to: - easily switch the token attribute(s) authorities are mapped from and how it is processed (prefix, case transformation, etc.). For instance, Keycloak puts user authorities into realm_access.roles and resource_access.{client-id}.roles, not in scope (which is used for ... scopes). Other vendors could put it in groups. - populate security-context with something else than BearerTokenAuthentication

Ideally, introspection process would not be touched. Just add a sort of post-preccssing to successful introspections.

Overriding introspector for just altering autorities mapping is overkill and I'd like to keep default introspector: if it is found out that Nimbus introspector should be updated or replaced whith another implementation for whatever security or performance reason, I'd like to benefit it (which won't happen if it is overriden for authorities mapping).