I do the exact same thing, intercept, validate JWT, put the claims in attributes