[Login service] Auth ID requirement is specific to the consumer

[apinder]

The below requirement can be asserted in the tests however it is outside the scope of the Login service as it must be asserted on the consumer which would have no effect on the implementation of the login service (even if it must be adhered to by users of the login service):

3.3.7.2 k) The returned authId field shall be used as the authenticationId field in future MAL messages by the consumer MAL for authentication. The token is specific to the user and role in use.

This also leads to the question of how we ensure all users/consumers of the login service comply to the requirement of setting the auth ID based on the last login response or do we leave that responsibility to each user/consumer?

[SamCooper]

It is something that the MAL and Reference Model have covered so it is not something we need to be concerned about.

Basically if they don't do that then the security system in use (if done correctly) wouldn't allow then to do anything else. The reference model covers this I think.