Our application uses both name/password logins as well as OpenID. We needed to add the possibility of locking/disabling accounts. While this worked without problems for name/password logins, OpenID seems to ignore the flags. Consider this listing from my log:
The user is authenticated even though the account is not enabled! The same thing happens for locked users. It seems to be a serious security bug.
DEBUG o.s.s.o.OpenIDAuthenticationFilter - Authentication success.
Updating SecurityContextHolder to contain:
Granted Authorities: ROLE_USER;
Granted Authorities: ROLE_USER,
attributes : ]
(More details available in my original question at SO.)