We must be able to support a null authenticationID when using an AuthorizeCallback to perform authorization. In this case, if an authenticated principal was previously established as a result of a successful authentication or evidence verification, we just use it to perform the authorization.