I've implemented that in the past by using specially formatted Username strings to allow additional information to be sent. There are no rules around exactly how you send through the username and password in those string fields, so the content could actually be a serialized object, compressed string, or whatever you deem necessary.
I couldn't find any other way to send information along elegantly.
Just parse that information out in your AuthorizationPolicy implementation.