Similar to OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver, we need a way to customize how the principal (Authentication) is resolved. This is particularly important when applications are using the client_credentials grant type, which typically requires access tokens to be scoped to the application instead of the current user.
Related gh-13588, gh-15299