OidcLoginRequestPostProcessor should respect configuration order

[jzheaux]

Currently, the OidcLoginRequestPostProcessor documentation states:

Supplying an {@link OidcUser} will take precedence over {@link #idToken}, {@link #userInfo}, and list of {@link GrantedAuthority}s to use.

This means that if an app does:

oidcLogin()
    .oidcUser(fooOidcUser)
    .authorities(barAuthority)

Then the second call will have no effect.

This isn't consistent, though, with how other builders in Spring Security work. Generally speaking, builders should respect the order in which its methods are invoked,

Instead,

oidcLogin()
    .oidcUser(fooOidcUser)
    .authorities(barAuthority)

should cause the builder to give precedence to the authorities given since that's what was called last.

The reason for this is so that apps can more easily build helper methods that construct and return an OidcLoginRequestPostProcessor for further configuration:

private static OidcLoginRequestPostProcessor fooOidcLogin() {
    return oidcLogin().oidcUser(fooOidcUser);
}

And then

@Test
public void test() {
    this.mvc.perform(get("/")
        .with(fooOidcLogin()
            .authorities(barAuthority))) // ...
}

will work as expected.

[jzheaux]

This should be addressed for OidcLoginMutator as well.