[Openid-specs-authzen] [Question] X-Request-ID Header Generation - Authorization API Specification
Omri Gazitt
omri at aserto.com
Thu Nov 20 19:15:39 UTC 2025
Hi Eric, thanks for joining the mailing list and for your question!
The header is meant to function as an (optional) correlation mechanism
between requests and responses, that is triggered by the client. If the
client wants to use this mechanism, it can do so using the header you
mentioned.
A PDP is free to add other headers to the response, which could be used for
purposes such as logging as you mentioned, but specifying any additional
mechanisms is out of scope for v1.
We could consider adding other mechanisms in a future version.
Thanks,
Omri.
On Mon, Nov 17, 2025 at 2:14 AM Eric Leleu via Openid-specs-authzen <
openid-specs-authzen at lists.openid.net> wrote:
> Hello everyone,
>
> I recently joined this mailing list after signing the Contribution
> Agreement.
>
> First and foremost, thank you all for the tremendous work you have put
> into this specification.
>
> During the Public Review Period, I would like to ask a question regarding
> the X-Request-ID header. Please excuse me if this is not the appropriate
> forum for this inquiry.
>
> The specification states that the generation of the identifier is the
> responsibility of the PEP (Policy Enforcement Point) and that it must be
> returned in the response (section-10.1.3).
>
> However, in cases where the PEP does not transmit this header, shouldn't
> the PDP (Policy Decision Point) be required to generate one and provide it
> in the response headers?
>
> I believe this behavior could be valuable for auditing and debugging
> purposes regardless of client behavior. What is your opinion on this point ?
> Best regards,
> Eric LELEU
>
> --
>
>
>
>
> Eric LELEU
>
> Staff Software Engineer / AM Teach Lead
>
> E eric.leleu at graviteesource.com <your.name at graviteesource.com>
>
> Hold Nothing Back
> <http://youtube.com/c/Graviteesource?sub_confirmation=1>
> <https://www.linkedin.com/company/gravitee-io>
> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20251120/6e2805a8/attachment.htm>
More information about the Openid-specs-authzen
mailing list