[TODO] Add Extension Hooks for external JWT validating against local system

A token should provide enough information to handle the required permissions.

Currently, a ShadowCopy is required before JWT can be used. This defies the purpose of being fully stateless. 