Recalculating claims for ActAs requests

[wscalf]

So, we're using a somewhat modified IdentityServer as the STS in a multi-app setup, and we've just started using delegation (ie: ActAs tokens) and run into a bit of a surprise: our individual apps get different claims based on what sorts of permissions they have, but when we delegate from one app to another, the user's claims are passed through instead of running through the ClaimsRepository again.

On the one hand, this is good for performance, but on the other, it leads to apps receiving identities that aren't really meaningful to them.

We're looking at options to address this, but I thought I'd go ahead and throw some questions out there too.

• Is it possible to have the user's claims re-interpreted on an ActAs request without changing IdentityServer code (replacing repository implementations is okay)?
• Is this behavior different in a newer version? We're a little out of date.
• Am I coming at this from the wrong perspective? Is changing the token that's sent to the next application a bad idea?