Long ago, folks knew that getscope had a inbound-token-validation design purpose. Of course it doesn’t really show till you do async methods. Only then do u get the handle on the full “scope” : that in tge given rst and that in the (multiple) operation context -extensions- -extensions-that behaviors may have established.
You might set the rp cert (for token encryption) based on a behaviour that looked at the client cert of the transporting channel … and its root certs. … driving thereby cert selection based on both audience name and the country authenticating the transport channel’s cert.
Hmm. 2008. Piv cards. National id. Zermatt…
Peter's ruminations 