Current implementation of JCR Authorization module forces you to duplicate users in JCR even if authentication source is external.

IMHO

• Authentication module should check for credentials (like it is now) in addition collect groups and roles together with details like user language, email etc..
• Authorization module can use above information to read access control list for this user

this will help us develope authentication modules for any data/directory source without having to duplicate users in JCR