USER_CHAIN is a HTTP Header, as you have listed,
“USER_CHAIN” is our standard for AAF at AT&T.
The format is a comma delimited set of entries:
<ENTRY1>,<ENTRY2>…
Within each ENTRY, there are at least 3, but up to 4 fields delimited by colon ‘:’
Field 1: FQI (Fully Qualified Identity)
Field 2: Component name (Component isn’t an official entry in NS, but should start with NS). It is primarily for logging.
Field 3: Protocol (BAth, OAth and x509 are best practice)
Field 4 (Optional): Request (If Field 3 exists, and is “AS”, then the calling services is requesting that the Identity be treated as the official Identity
example
USER_CHAIN=m99999@myapp.onap.org:org.onap.myapp.gui:x509:AS,m00000@something.onap.org:org.onap.myapp.entrypoint:BAth
Note: The app itself may not choose to honor the “AS” request, because it is up to the App to decide which incoming Apps it actually trusts to do correct Authentication.
If using CADI, set the “cadi_trust_perm” value with the Permission which THE APP WILL GRANT trust.
Example:
Where "org.onap.myapp" is the NS of the group adding.
cadi_trust_perm=org.onap.myapp.mytrust|org.onap|trust
APP B, having set this perm, can then grant this perm to the APP A if it chooses to trust the “AS” request on the first entry.