The requirement is to protect APIs in a multi-tenanted system. The hostname of the API endpoint URL represents the tenant. This information needs to be propagate to the introspection_endpoint.
The proposal is to provide one of two possible capabilities -
Allow custom headers to be populated using standard macros like %HOSTNAME% when configuring the introspection_endpoint. With this, the system can offer a "global" introspection endpoint and the hostname can be sent as a
x-forwarded-host header in the request. This is preferred because the introspection endpoint is not meant to be exposed for public use.
Allow variables to be used in the introspection_endpoint URL. For example - https://%HOSTNAME%/v1.0/introspect