Describe the bug
JwtAuthenticationProvider delegates the instantiation of an Authentication to a Converter<Jwt, ? extends AbstractAuthenticationToken> but it then alters returned value details property.

For framework user providing a Converter<Jwt, AbstractAuthenticationToken> bean which sets authentication details, this means he won't get the details he had set when later accessing the authentication (from security expressions for instance).

Please note that JwtReactiveAuthenticationManager, the reactive pendant of JwtAuthenticationProvider written by @rwinch , does not set details after the Authentication is returned by the converter.

To Reproduce

• Create a DemoAuthentication extends AbstractAuthenticationToken class which sets details in constructor and make it immutable (override setDetails to throw an exception)
• Configure a resource-server with JWT decoder and a Converter<Jwt, DemoAuthentication>

An exception will be thrown by JwtAuthenticationProvider as soon as a request is submitted with a valid JWT.

Expected behavior
This kind of side effect on Authentication instance is a problem when the framework user has provided a jwtAuthenticationConverter which intentionally set authentication details.

Ideally, details property would be set by the jwtAuthenticationConverter (not the JwtAuthenticationProvider).

Other sollution with minimum code impact would be preventing JwtAuthenticationProvider to touch authentication details when it is not null.

Sample
https://github.com/ch4mpy/spring-security-11822

• edit application.properties to point to your favorite authorization-server
• get a JWT access-token
• edit TOKEN value in SpringSecurity11822ApplicationTests
• run SpringSecurity11822ApplicationTests