Decouple token value generation from DefaultTokenServices

[palmgren]

Currently, DefaultTokenServices generates new access and refresh token values using UUID.randomUUID() directly in two private methods that do a bunch of other stuff. This makes it very hard for users to customize token key generation if they want to. I propose that either (a) a new strategy interface is created for key generation, or (b) it gets pulled into its own protected method so that subclasses can override it.

It appears to be possible to edit the generated access token value in a roundabout way with the accessTokenEnhancer field by casting the token to its subclass. However, even this is impossible for the refresh token.

[jonas-grgt]

Another solution might be to make it configurable for example through the AuthorizationServerEndpointsConfigurer.

The AuthorizationServerEndpointsConfigurer could pass it (as in the interface to generates the token) to the specific TokenGranter which could pass it down to the DefaultTokenServices

Another option might be to use the TokenEnhancer to override the generated token, but not sure if that might work.

[jonas-grgt]

In some way this is related to #318 since,
Looking at this issue you could start from #318 idea of adding a builder for the TokenServices and extend that idea by adding the ability for setting/chaning the default token generation pattern.

[dsyer]

If you want to change the form or content of the access token there are loads of existing strategies, so I doubt if we need a new one. For instance, TokenEnhancer would probably be the best starting point (and there is already a builder method in AuthorizationServerEndpointsConfigurer).

[dsyer]

P.S. the JwtAccessTokenConverter is a TokenEnhancer and it modifies the refresh token value, so I do believe all the strategies you need are available.