If you pass in a bearer token as your identity context, the sub claim is extracted and used to look up the identity object in the directory, from which the user can be looked up. The user object is where any persistent attributes about users (or their relationships) are managed. If other claims are useful in the authorization process, you can create a custom policy that extracts those claims from the JWT and use them in the policy.
What contents of the bearer token are extracted to validate against the policy?
If you pass in a bearer token as your identity context, the sub claim is extracted and used to look up the identity object in the directory, from which the user can be looked up. The user object is where any persistent attributes about users (or their relationships) are managed.
If other claims are useful in the authorization process, you can create a custom policy that extracts those claims from the JWT and use them in the policy.