Great explanation Marcel.
Apart from the question about whether to extend Seam Security with support for delegated access mechanisms, there is another thing to take into account. There is a new OAuth 2.0 standard, which is very interesting. It's a lot less complex than OAuth 1.0, and although it's still very new (AFAIK the spec hasn't even been completed), Facebook already implemented it. I already added an external authentication option in the PicketLink Seam module, based on their OAuth 2.0 access point, so that users can be authenticated with their Facebook accounts.