Hi, I came across an issue with the Token mechanism that ties it too much to SimpleCredentials (aka username/password) for the initial create-token login. In case of different credentials and the ExternalLoginModule + external identity provider this currently makes it impossible to use in one go, since it does not take a different user id into account that can be present in the standard shared key "javax.security.auth.login.name".
Details & patch including unit test at https://issues.apache.org/jira/browse/OAK-3899 Cheers, Alex
