The getPrincipal method currently returns the identityUrl (which follows the method description from the Authentication interface quite literally "The identity of the principal being authenticated. This is usually a username."), whereas other authentication providers will typically set the principal to the UserDetails object.
The AbstractUserDetailsAuthenticationProvider determines how to set the principal by the forcePrincipalAsString boolean (defaulted to false) - however note that the CasAuthenticationToken also provides a separate getUserDetails method.
Proposed fix is to provide a forcePrincipalAsString option (default set to true for backwards compatibility) in the OpenIDAuthenticationProvider with changes to the HttpSecurityBeanDefinitionParser so the provider can easily be set to use UserDetails instead of a string.
Patch to follow shortly.