Improve Observability

[jzheaux]

Making Spring Security's actions observable at runtime will help make applications more secure. Following recommendations from OWASP, we should:

• [x] Add authorization events
• [ ] Add OAuth2 client authorization events
• [ ] Add defense violation events (CSP violation, CSRF violation, firewall rejection, etc.)
• [ ] Add user/password lifecycle events
• [ ] Consider introducing secure header report-uri endpoints

It would be helpful to have a marker class that security events can be identified by:

• [ ] Add SecurityEvent

When these events are fired, Spring Security should:

• [ ] Pipe authentication events to Micrometer
• [ ] Pipe authorization events to Micrometer
• [ ] Pipe defense violation events to Micrometer
• [ ] Pipe session management events to Micrometer
• [ ] Pipe custom security events to Micrometer

It can also help applications evaluate performance and usage. To that end we should:

• [x] #11989
• [ ] Instrument OAuth2AuthorizedClientProvider
• [x] #11990
• [x] #11991
• [x] #11992
• [ ] #11993
• [x] #11994

[jzheaux]

Before proceeding on piping events, it's important to understand the following two scenarios:

• How does this complement (or not) Spring Actuator
• What does event collection look like when events are published asynchronously