Describe the bug Since the introduction of the authenticationConverter in 6.3, the default implementation (this::defaultAuthenticationConverter) does not add found scopes as granted authorities as part of introspection because the check if (!(scopes instanceof ArrayListFromString)) always returns false on line 261, as by the time the scopes list reaches here, it has been converted into a normal ArrayList in the accessor.getScopes() as part of the getClaimAsStringList default method without customising the ClaimConversionService and therefore fails the check above and returns an empty list.

To Reproduce Use the default implementation of SpringOpaqueTokenIntrospector without customisation of it or the ClaimConversionService used by the ClaimAccessor interface.

Expected behavior Scopes are added correctly as "SCOPE_" granted authorities.

Sample

Not sure a sample is required here? This is the default behaviour.

Comment From: jzheaux

Thanks, @Veil, for the report. This is now fixed in main and will go out in the next snapshot.

Comment From: Veil

@jzheaux awesome. For personal curiosity, what's the thinking behind not supporting any other List implementation in the defaultAuthenticationConverter? It doesn't look like we're doing anything special with that type?