I’ve noticed that ScramSha1SaslServer does not make use of the option to authorize users on behalf of another user.
I.e. the “a” attribute as per https://tools.ietf.org/html/rfc5802#section-5.1
and AuthorizationManager / AuthorizationPolicy / AuthorizeCallback are disregarded.
I don’t really care about it, but maybe you want to check it.