The general pattern we'd expect is for user/principal information to be gathered from the authentication/identity provider and used in subsequent requests to the PDP (most commonly, roles that the user can assume). That said, there's nothing saying that you couldn't implement (say) a default role and pass that in each request.