Remove OAuth2AuthenticationToken.AccessToken

[jgrandja]

An AccessToken lives longer than an Authentication. For example, a user's authenticated session may last for an hour, whereas the AccessToken associated with the user and AuthorizedClient may last a day.

We should remove this association and start leveraging SecurityTokenRepository<AccessToken> when the AuthorizedClient needs the AccessToken to make a protected resource call.

[jgrandja]

The original comment in this issue is outdated as a result of the restructuring of OAuth2AuthenticationToken c54c622. The new OAuth2ClientAuthenticationToken is composed of a ClientRegistration and AccessToken.

After giving it some further thought, we'll leave things as is. It makes sense to have this association in OAuth2ClientAuthenticationToken as an instance of this Authentication represents an Authorized Client. We are also leveraging SecurityTokenRepository<AccessToken> to save the AccessToken after it's initially granted so it can always be retrieved at a later point or in a subsequent user session.

Closing this and leaving as is.