My previous post is wrong. If you try to authenticate one scope from another, here's what happens:
You have scope A that hasn't been authenticated, it can authenticate scope B. You're looking for B. Here's what happens:
Scope B from A strategy is provisionally assigned as winning scope.
Then you do the the A scope: scope A is provisionally assigned as winning scope. It's successful.
You can then do try to do scope B. You do, it works. You return your successful strategy's result, which is still A, because that was the last to succeed. You have the wrong scope.
I have a PR (https://github.com/hassox/warden/pull/144/files) which hasn't gone anywhere because I can't figure out to write tests for it and it's a crazy edge case. Existence is suffering.