CAUTION This is a ticket that needs to be considered by the Spring Security team and thus is not currently a candidate for a pull request.
Currently, there is a lot of duplicated logic for merging two Authentication instances that cannot be replaced (see https://github.com/spring-projects/spring-security/commit/64c9e3e210d60b775ae0bcdea004fc1fc213e1ca for the locations).
We should consider adding Authentication.Builder.authentication(Authentication) which can encapsulate the logic and allow custom Authentication.toBuilder() implementations to replace the way in which the Authentication instances are merged.