From dev@ list:
"In pac4j, we have a callback controller which uses the client_name
parameter to finish the login process and a protection filter which
protects a resource and redirects the user to the identity provider for
login. Since pac4j 1.8, most libraries using it now accept a client_name
parameter in the protection filter as well to choose the authentication
mechanism to use if the user is not authenticated.
With Knox, this feature (choosing the authentication mechanism with the
client_name parameter) is not available as this parameter is already used
to define if it's a callback or an access. This could be changed and we
could opt for a new convention, like a new pac4jCallback parameter to say
if it's a callback or not. And this way, you could choose on the fly which
authentication mechanism you want to use."