3.1.5.15 Enabling Clients or Applications to Make Requests on Behalf of the User

The protocol server can send an X-RequestToken value (see section 2.2.15) to the protocol client or a third-party application to enable the protocol client or a third-party application to make requests on behalf of the current user. The X-RequestToken<18> value is generated by the protocol server and it is an opaque string to the protocol client. The content of the X-RequestToken value is protocol server implementation-specific. The protocol server MAY<19> include information, such as the protocol client application identifier, the current user identifier, time stamp, and their hash values in the X-RequestToken value and any other information necessary for the protocol server to execute request. When the protocol client or a third-party application needs to make requests on behalf of the current user, the protocol client or a third-party application can include the X-RequestToken value in the X-RequestToken header in a new request to the protocol server. The protocol server can read the user identifier from this header and execute the request on behalf of the user specified by the user identifier. The protocol server can further use the hash value to ensure that the value of this token has not been tampered with. The protocol server could also define an expiration period and ensure that the token has not expired by checking the time stamp.