Could these credential sources be discoverable from java.security.Provider with a more generic configuration API? This could help break any dependency from authentication client to the implementation.

In the opposite direction I think it is Ok for the impl to depend on the client.