TokenLoginModule.login contains the following code that may set the userId field:
however, TokenAuthentication.getUserId() will just delegate to TokenInfo.getUserId and setting the userId in the login module is IMO redundant. Also, upon commit the AuthInfo is ultimately populated with the ID retrieved from the TokenInfo and the userId field is ignored.
I would therefore suggest to drop the extra userId field and simplify the code accordingly. Alex Deparvu, will attach a proposed patch later today.