Integrate Corporate SSO with AI Agent API

Problem/Feature Description

A mid-sized company is rolling out an AI assistant that internal teams will access using their corporate Single Sign-On credentials. The identity provider issues JWTs that include a custom roles claim (e.g. ["USER", "AGENT", "ADMIN"]) instead of the standard scope or authorities field used by default Spring Security converters.

The security team has provided the issuer URI for the identity provider (https://sso.corp-internal.example.com). The assistant API must validate incoming JWTs against this issuer and translate the roles claim into the appropriate Spring Security authority format so that role-based access control annotations on tool methods work correctly.

A previous developer sketched a setup that used the OAuth2 password grant to exchange credentials for tokens directly — the security team has flagged this and wants it removed in favor of the correct OAuth2 flow.

Output Specification

Produce the following files:

• application.yml — configures the JWT resource server with the issuer URI
• SecurityConfig.java — Spring Security configuration that correctly validates incoming JWTs and maps the corporate roles claim to the appropriate Spring Security authorities
• MIGRATION_NOTES.md — a short document explaining what was wrong with the previous password-grant-based setup and what the correct alternative is

The SecurityConfig.java should be complete enough that a developer can drop it into a Spring Boot 4.x project and have it compile.