Feature: Option to sync roles and authorize merely on principle (non-role cert)

When there is no proxy between client and server or even if they're in the same cluster, adding an oauth2 token is overkill.

Providing some way to check non-role cert directly would be very helpful for these cases.

The server could potentially configure that authorizer with a particular role, or the authorizer could check all roles that a principle is in.