I was wrong in my first assumption, it wasn't creating the token either locally.Since the user is created without a password, as the real authentication is handled on another server, we only keep the user profile and information in the session's credential/principal information. I ended up manually ...