Re-structure OAuth2AuthenticationToken

[jgrandja]

We should introduce a new Authentication that holds credentials returned from the Token Endpoint, for example, Access Token, Refresh Token and ID Token (for OIDC flows).

In the current design, OAuth2AuthenticationToken holds AccessToken and IdToken. With the proposed design, the new OAuth2TokensAuthenticationToken would hold the AccessToken and RefreshToken (future construct) and extend from AbstractAuthenticationToken

OAuth2AuthenticationToken should then extend OAuth2TokensAuthenticationToken which will hold the principal and associated authorities.

Hierarchy: OAuth2AuthenticationToken -> OAuth2TokensAuthenticationToken -> AbstractAuthenticationToken

Related #4521

[jgrandja]

Instead of going with the proposed design as per above, I decided to split up OAuth2AuthenticationToken into OAuth2ClientAuthenticationToken and OAuth2UserAuthenticationToken.

The OAuth2ClientAuthenticationToken holds the ClientRegistration and AccessToken and represents the Authorized Client by the Resource Owner.

And the OAuth2UserAuthenticationToken represents an authenticated OAuth 2.0 User which is associated with a OAuth2ClientAuthenticationToken.