[Openid-specs-authzen] [Question] X-Request-ID Header Generation - Authorization API Specification

[Eric Leleu]

Hello everyone,

I recently joined this mailing list after signing the Contribution
Agreement.

First and foremost, thank you all for the tremendous work you have put into
this specification.

During the Public Review Period, I would like to ask a question regarding
the X-Request-ID header. Please excuse me if this is not the appropriate
forum for this inquiry.

The specification states that the generation of the identifier is the
responsibility of the PEP (Policy Enforcement Point) and that it must be
returned in the response (section-10.1.3).

However, in cases where the PEP does not transmit this header, shouldn't
the PDP (Policy Decision Point) be required to generate one and provide it
in the response headers?

I believe this behavior could be valuable for auditing and debugging
purposes regardless of client behavior. What is your opinion on this point ?
Best regards,
Eric LELEU

-- 




Eric LELEU

Staff Software Engineer / AM Teach Lead

E eric.leleu at graviteesource.com <your.name at graviteesource.com>

Hold Nothing Back
<http://youtube.com/c/Graviteesource?sub_confirmation=1>
<https://www.linkedin.com/company/gravitee-io>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20251117/fc831ce4/attachment.htm>