Spring Security Configurable AuthenticationWebFilter on OAuth2 login DSL

Expected Behavior Configurable AuthenticationWebFilter for OAuth2 clients with OAuth2 login

Current Behavior OAuth2LoginSpec::configure(ServerHttpSecurity http) instantiates an OAuth2LoginAuthenticationWebFilter and I could not find a way to override this behavior nor to replace that instance after it was created.

Context I'd like to extend OAuth2LoginAuthenticationWebFilter to change its onAuthenticationSuccess method and build global indexes to successful authentications (like ID-token => session ID, subject => session ID and session ID => authentication). This would be useful for instance when implementing back-channel logout: access to the session to invalidate would be super easy.

Also this might seem an edge case, but OAuth2AuthenticationToken doesn't fit very well the case where a user as several identities simultaneously: he is identified by more than one OP and has several OAuth2AuthorizedClient with different names (a subject per issuer). I'd like to use an Authentication instance able to maintain a map of identities per issuer.

Comment From: ch4mpy

Reading the OAuth2LoginAuthenticationWebFilter again after I created this issue, I just realize I'd better hook in the ServerOAuth2AuthorizedClientRepository to update the index when an identity is added, but also removed and this repo is configurable already.

For the second point, rather than overriding the AuthenticationWebFilter, providing with a configurable authentication converter (like already available are for resource servers) would probably be a better way to go.