The client needs to be able to discover what its authentication principal is. The server does not always share that information. So, we need a way to derive the authentication principal from the authorization ID, callbacks, mechanism, and/or external identity.