I observe that there is no method overload for RealmIdentity#getCredential() which accepts an AlgorithmParameterSpec as the CredentialSource types do. This theoretically limits the range of selectivity of credentials that can be used by a mechanism; though things like salt or nonce are usually derived from the stored credential rather than the other way around, it is possible that there are other parameters which might have an impact on the selection of the appropriate credential (like realm name, as I think this issue is about).

An appropriate three-argument overload can be added to this interface as a default method. An additional applyToCredential method can also be added accordingly. An additional getCredentialAcquireSupport method should be added as well; though it could be default, the default implementation would be less than optimal as it would have to delegate to getCredential to function properly.

It might be a good idea to add this overload now while the compatibility impact would be minimal; in this case, the new getCredentialAcquireSupport method would not have to be default (instead, the two-argument form could be made default or removed completely in favor of the three-argument version).