They return the callerName and Groups for the OpenId since they are located in the OpenIdContext class. Having it not in OpenIdContext means that developers also need the SecurityContext to retrieve all the info, even in the case when they just want to use OpenIdConnect.
If the reason is simply so that the developer doesn't have to use two objects, then that's not going to work I think.
Remember that the OpenIdContext only returns the limited caller name and groups that have been returned by the OpenID Provider. If there are any other identity stores or even a custom identity store handler being used then it won't return the actual caller name or the actual groups.
But we never had any discussion in this group about what OpenId integration should look like. And thus I stand by my statement I made before, Openid Connect should not have been part of Jakarta EE 10 release as there was no proper discussion and we will release something that is not validated by a wider group of people.
Given the few people involved these days I don't think having waited even longer had given us more feedback. At least this one has been discussed between me and Gaurav when we first built it almost 3 years ago, has been used ever since in practice, and has been in review for months. There's a few small things being discovered at the last moment, but that always happens. Security 1.0 had a few last second issues as well.
Kind regards,
Arjan Tijms
