Spring Security OAuth2AuthorizationConsentAuthenticationToken authorities required but not set

Describe the bug When an OAuth2 consent is enabled , the OAuth2AuthorizationConsentAuthenticationToken does not set authorities, but the subsequent OAuth2AuthorizationConsentAuthenticationProvider expects non-empty authorities.

Code pointers:

The constructor for OAuth2AuthorizationConsentAuthenticationToken sets the authorities to an empty list, calling the super constructor: https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationToken.java#L70

What I understand is, that the authorities are final and not modifiable.

OAuth2AuthorizationConsentAuthenticationProvider rejects OAuth2AuthorizationConsentAuthenticationToken with no authorities:

https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationProvider.java#L206

To Reproduce

Add a new OAuth2 client that requires authorization consent.

@Bean
fun registeredClientRepository(): RegisteredClientRepository {
  val client = RegisteredClient.withId(UUID.randomUUID().toString())
      .clientId("myclient")
      .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
      .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
      .redirectUri("http://localhost:6274/oauth/callback")
      .clientSettings(
          ClientSettings.builder()
              .requireAuthorizationConsent(true)
              .requireProofKey(true)
              .build(),
      )
      .build();

  return InMemoryRegisteredClientRepository(client);
}

Expected behavior The OAuth2AuthorizationConsentAuthenticationProvider should not check for authorities (not totally sure about this)...