ID Token missing sid claim after refresh_token grant

[IwantDomore]

Describe the bug

After using the refresh token, the obtained id_token does not contain the claim of sid, because there is no sid field, I failed to log out, because the sid field was verified in the logout logic

To Reproduce

1.Get authorization code

I use the /oauth2/authorize authorization endpoint in the browser to get the code

2.Obtain token using authorization code

3.Parse the id_token and find that the id_token obtained using the authorization code mode contains the claim sid

4.Use refresh_token to reacquire token

5.Parse the id_token again and find that there is no sid field

6.The id_token needs to be used when logging out, but the id_token parsed in the background does not contain the sid claim and an error is reported

Expected behavior
1.Through the general browsing code, it is found that in the token obtained in the authorization code mode, the sid will be added to the claim when it is judged that the seesionInfomation exists, but the sid is not added when the token is constructed using the refresh token mode.

2.Hope the author can check and solve my difficulty, thank you very much.

[crazycoder-111]

Perhaps it is necessary to add this piece of code in the authenticate() method of OAuth2RefreshTokenAuthenticationProvider as well：```
SessionInformation sessionInformation = getSessionInformation(principal);
if (sessionInformation != null) {
try {
// Compute (and use) hash for Session ID
sessionInformation = new SessionInformation(sessionInformation.getPrincipal(),
createHash(sessionInformation.getSessionId()), sessionInformation.getLastRequest());
} catch (NoSuchAlgorithmException ex) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR,
"Failed to compute hash for Session ID.", ERROR_URI);
throw new OAuth2AuthenticationException(error);
}
tokenContextBuilder.put(SessionInformation.class, sessionInformation);

[jgrandja]

Thank you for reporting this @IwantDomore. I just pushed the fix.