The authorization identity is the identity that the user intends to run as. By allowing the identity to be specified as a Principal, the anonymous identity can be given, which is a way of directly selecting anonymous authentication. The existing methods which specify the authorization identity as a string can map to a NamePrincipal. Mechanism selection can also take the authorization ID into account.

This also aligns with the run-as logic on the server.