When a new user is logged it the openid security realm uses different values as the principal name in the security context, depending on the metadata fields available in the openid identity.

After logging the user in, the actual User is created (if needed), and depending on the field used for id (e.g. if it ends up being the openid url) it may be transformed by the canonical id resolver, resulting in a user with a different id that the one registered in the SecurityContextHolder.

After 84e8d0118, User.current will assume the user is the one in the SecurityContextHolder, so it may end up creating another User object for an already existing one, as the search does not go through the canonical id resolver.