The OAuth2AuthorizationExchange class should be serializable since it is used as a field of OAuth2AuthorizationCodeAuthenticationToken, which in turn implements Serializable, requiring all its fields to be serializable too.
@Test
void oauth2AuthorizationExchangeShouldBeSerializable() throws IOException {
OAuth2AuthorizationExchange exchange = TestOAuth2AuthorizationExchanges.success();
try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(baos)) {
objectOutputStream.writeObject(exchange);
objectOutputStream.flush();
}
}