You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The human readable requirement in this spec introduces security, privacy (PII etc.) considerations that should be called out.
For example, JWT provides an approach to communicate JSON based payload data usually via HTTP headers. And it also provides additional optional benefits such as signatures and encryption. Also, ID Token is a means of encapsulating user identity in JWT Tokens.
Some information conveyed through contexts may either be sensitive or may be susceptible to tampering. It would be great to either:
add signature/encryption as standard offerings when conveying correlation context
and/or provide guidance on how to deal with security or encryption (for example, values could be JWT tokens)
and/or call it as out of scope for this specification
The text was updated successfully, but these errors were encountered:
+1 to call it as out of scope. Not because this question is not important, but because this whole paradigm of passing application-specific data as baggage in all the requests is a pretty new concept, and I feel it's premature to be locking down how values must be interpreted or represented.
The human readable requirement in this spec introduces security, privacy (PII etc.) considerations that should be called out.
For example, JWT provides an approach to communicate JSON based payload data usually via HTTP headers. And it also provides additional optional benefits such as signatures and encryption. Also, ID Token is a means of encapsulating user identity in JWT Tokens.
Some information conveyed through contexts may either be sensitive or may be susceptible to tampering. It would be great to either:
The text was updated successfully, but these errors were encountered: