Would therebe any way to pass additional attributes (say, something from a REST API call's headers or body) to an authorization request, and access it in a Javascript or rules based policy? I see that what is available in the Evaluation API currently is pretty limited.