sec:authorize="isAuthenticated()" not working oauth2

[NCanhhieu]

i use my customoauth2user implement userdetail , and update in security config for both oauth2 login and spring security login.
but thymeleaf sec:authorize="isauthenticated()" not show up th:if="${level == 0}" (this is a property in account entity so spring security formlogin do show up this ) if i login using oauth2

                     <ul class="dropdown-menu level1"  sec:authorize="isAuthenticated()">
                            <li><a th:if="${level == 0}" th:href="@{/buyaccount}">Buy Account</a></li>
                            <li><a th:href="@{/profile}">Profile</a></li>
                            <li class="it-last"><a href="/logout">Logout</a></li>
                        </ul>
My customOauth2User:                        

 public class CustomOAuth2User implements OAuth2User , UserDetails {
private OAuth2User oauth2User;
private String email;
private Collection<? extends GrantedAuthority> authorities;
private Provider provider;

public CustomOAuth2User(OAuth2User oauth2User, String clientRegistrationId  ) {
    this.oauth2User = oauth2User;
    this.provider = determineProvider(clientRegistrationId);
    this.email = getEmail();
    this.authorities = getAuthorities();
}

private Provider determineProvider(String clientRegistrationId) {
    if (clientRegistrationId.equals("google")) {
        return Provider.GOOGLE;
    } else if (clientRegistrationId.equals("github")) {
        return Provider.GITHUB;
    } else {
        return Provider.LOCAL;
    }
}
@Override
public Map<String, Object> getAttributes() {
    return oauth2User.getAttributes();
}

@OverRide
public Collection<? extends GrantedAuthority> getAuthorities() {
if (authorities == null) {
List authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
this.authorities = authorities;
}
return authorities;
}
@OverRide
public String getName() {
String loginAttribute = "login";
String provider = oauth2User.getAttribute("provider");
if (provider != null && provider.equals("github")) {
loginAttribute = "login";
} else if (provider != null && provider.equals("google")) {
loginAttribute = "name";
}

String email = oauth2User.getAttribute("email");
if (loginAttribute.equals("login") && email != null && email.contains("@gmail.com")) {
    loginAttribute = "name";
}


return oauth2User.<String>getAttribute(loginAttribute);

}
public String getEmail() {
String email = oauth2User.getAttribute("email");
if (email == null) {
return "http://github.com/" + oauth2User.getAttribute("login");
} else {
return email;
}
}
@column(name = "level")
private int level;
public int getLevel() {
return level;
}

public void setLevel(int level) {
    this.level = level;
}
public Provider getProvider() {
    return provider;
}
// Implement UserDetails methods
 @Override
public String getUsername() {
    return  getName();
}

@Override
public String getPassword() {
    return null;
}

@Override
public boolean isAccountNonExpired() {
    return true;
}

@Override
public boolean isAccountNonLocked() {
    return true;
}

@Override
public boolean isCredentialsNonExpired() {
    return true;
}

@Override
public boolean isEnabled() {
    return true;
}

}
SecurityCongfig
@bean
public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
httpSecurity.sessionManagement(
s -> s.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
);
httpSecurity.getSharedObject(AuthenticationManagerBuilder.class)
.authenticationProvider(daoAuthenticationProvider());
httpSecurity.authorizeHttpRequests(request -> {
request.requestMatchers("/css/", "/js/", "/images/").permitAll();
request.requestMatchers("/getCategories","/getGenres").denyAll();
request.requestMatchers("/").permitAll();
request.requestMatchers("/login/oauth2/").permitAll();
request.requestMatchers("/oauth/").permitAll();
request.requestMatchers("/share/facebook").permitAll();
request.requestMatchers(GET,"/admin/").hasAuthority("ROLE_ADMIN");
request.anyRequest().permitAll();
})

            .logout(logout -> {
                logout.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
                logout.logoutSuccessUrl("/");
                logout.deleteCookies("JSESSIONID");
                logout.invalidateHttpSession(true);
                logout.clearAuthentication(true);
            })

            .formLogin(login -> {
                login.loginPage("/login");
                login.failureUrl("/login?error=true");
                login.successHandler(customAuthenticationSuccessHandler);
                 login.permitAll();
            })
            .rememberMe(rememberMe -> {
                rememberMe.key("remember-me");                                                    
                rememberMe.tokenValiditySeconds(3 * 24 * 60 * 60);       
                rememberMe.tokenRepository(persistentTokenRepository());
            })
            .oauth2Login(oauth2 -> {
                oauth2.loginPage("/login");
                 oauth2.userInfoEndpoint()
                        .userAuthoritiesMapper(userAuthoritiesMapper())
                        .userService(oauthUserService);
                oauth2.successHandler(      customAuthenticationSuccessHandler  );
            })
            .csrf(AbstractHttpConfigurer::disable) ;

return httpSecurity.build();
}
@bean
GrantedAuthoritiesMapper userAuthoritiesMapper() {
return (authorities) -> {
Set mappedAuthorities = new HashSet<>();

        authorities.forEach(authority -> {
            if (authority instanceof OidcUserAuthority oidcAuth) {
                oidcAuth.getIdToken().getClaimAsStringList("groups").forEach(a -> mappedAuthorities.add(new SimpleGrantedAuthority(a)));
            } else if (authority instanceof OAuth2UserAuthority oauth2Auth) {
                ((List<String>) oauth2Auth.getAttributes().getOrDefault("groups", List.of())).forEach(a -> mappedAuthorities.add(new SimpleGrantedAuthority(a)));
            }
        });

        return mappedAuthorities;
    };
}

@component
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

@Autowired
private AccountsService accountsService;

@Override
public void onAuthenticationSuccess(HttpServletRequest trequest, HttpServletResponse response,
                                    Authentication authentication) throws IOException, ServletException {
    // Handle OAuth2 user processing
    if (authentication.getPrincipal() instanceof CustomOAuth2User) {
        CustomOAuth2User oauthUser = (CustomOAuth2User) authentication.getPrincipal();
        accountsService.processOAuthPostLogin(oauthUser, trequest); 
    }
    // Set Authentication in the session
    HttpSession session = trequest.getSession(true); // Now you can access the request object
    session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
    String targetUrl = trequest.getHeader("Referer"); // Get the original URL
    if (targetUrl == null || targetUrl.isEmpty()) {
        targetUrl = "/movies"; // Default to root path if no referrer is available
    }
    response.sendRedirect(targetUrl);
}

}
my CustomOAuth2UserService :
@service
public class CustomOAuth2UserService extends DefaultOAuth2UserService {

@Override
public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
    OAuth2User user =  super.loadUser(userRequest);

    return new CustomOAuth2User(user, userRequest.getClientRegistration().getRegistrationId());
}

}

[towfiq-bK]

@NCanhhieu
try adding the code below which worked for me:
xmlns:sec="http://www.thymeleaf.org/thymeleaf-extras-springsecurity3"