In another ticket [1] I opened I was told that an Authentication Provider should return a new token instead of reusing the one that was passed in. The tutorial on authentication providers [2] shows adding the user and returning the existing token as an example.

[1] symfony/symfony#1901 (comment)
[2] http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html
[3] https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php#L55