Suppose that I have configured SpringSecurity with the <openid-login> and <form-login>, and created a user-details-service entry like:
<user name="http://jimi.hendrix.myopenid.com/" password="notused"
This allows me to perform an OpenID login after entering my password with "myopenid.com" into their login page (or whatever). But it ALSO allows me to login by entering "http://jimi.hendrix.myopenid.com/" as my username and "notused" as my password. Indeed, if I'd left the password blank, ...
This is unexpected, to say the least!
At the very least, the manual should contain a stern warning to the effect that the password MAY be used, depending on your configuration.
But I think that the root problem is that the current UserDetailsService API is too limited for OpenID use-cases. For example, I'd like a separate API method named (say) loadUserByIdentityUri that the OpenIDAuthenticationProvider calls passing the identityURL AND the OpenID response attributes. Then I could implement my user details service to return an unguessable (random) password in the OpenID case. And I could do things such as allow someone with OpenID credentials but no local account access with default authorities.