every auth strategy now advertises the headers it needs by implementing required_fields method
the higher layer is responsible for providing the fields in UserAuthContext
UserAuthContext is not passed in as a result type, it is always required
if the higher layer is not able to provide required_fields, it should assume the particular auth strategy will not work
if required fields are not provided, auth strategy should not attempt to fall back unless there is a clear algorithm to do so
every auth strategy now advertises the headers it needs by implementing required_fields method the higher layer is responsible for providing the fields in UserAuthContext UserAuthContext is not passed in as a result type, it is always required if the higher layer is not able to provide required_fields, it should assume the particular auth strategy will not work if required fields are not provided, auth strategy should not attempt to fall back unless there is a clear algorithm to do so