Closed klarose closed 4 years ago
One thing we're not addressing here is a similar requirement on the User Portal. I feel like we should probably have one. Thoughts?
If you feel motivated, you could add something, but it's tricky. The user portal doesn't need to use strong identifiers, because it can base its decisions on other things than the UE identifier. For instance, a capability URL (that is, a hard-to-guess URL) embedded in the API requires no external authentication.
Thanks. Perhaps I'll do this in a separate PR to address #95
A reviewer pointed out that we never really said that it was a desired proprety of the API that it limit access to a UE's state to itself. Add a requirement to that effect so we're explicit about that goal, and reference the identifier section that describes that it's a good property for the identity.
Fixes #118