Add @transient to OAuth2IntrospectionAuthenticationToken

fixes gh-6829

Author: florian42

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -564,6 +564,22 @@ public void requestWhenDefaultConfiguredThenSessionIsNotCreated()
 		assertThat(result.getRequest().getSession(false)).isNull();
 	}
 
+	@Test
+	public void requestWhenIntrospectionConfiguredThenSessionIsNotCreated()
+			throws Exception {
+
+		this.spring.register(RestOperationsConfig.class, OpaqueTokenConfig.class, BasicController.class).autowire();
+		mockRestOperations(json("Active"));
+
+		MvcResult result = this.mvc.perform(get("/authenticated")
+				.with(bearerToken("token")))
+				.andExpect(status().isOk())
+				.andExpect(content().string("test-subject"))
+				.andReturn();
+
+		assertThat(result.getRequest().getSession(false)).isNull();
+	}
+
 	@Test
 	public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsCreated()
 			throws Exception {

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationToken.java

@@ -22,6 +22,7 @@
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.core.Transient;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.util.Assert;
 
@@ -36,6 +37,7 @@
  * @author Josh Cummings
  * @since 5.2
  */
+@Transient
 public class OAuth2IntrospectionAuthenticationToken
 		extends AbstractOAuth2TokenAuthenticationToken<OAuth2AccessToken> {