Hi,
in general I would argue that it is not necessary to change the session id for a refresh token to access token exchange.
Would you agree?
If so, is there maybe a different way to update the subject data other than using Subject.login in ShiroHelper?
Of course we can adapt the shiro side and use a custom WebSecurityManager if we don't want to change the session id in this case,
but maybe we can also avoid this in the pac4j code?
I would be glad to hear your opinion on this matter before opening any PR.
Thanks,
Anna