We should add a default method CsrfTokenRepository.loadToken(HttpServletRequest, HttpServletResponse) that returns DeferredCsrfToken (implements Supplier<CsrfToken>).