Support client auth token validation without requiring an admin token
1. If an admin account is not set up, then it should be possible to use the actual token to validate in the validation call to Identity.
2. In this case only, if Identity rate limits then the rate limit error code should be returned to the client (i.e. 503 should not be substituted).
This will require a change in Identity to support validation of a token with the same token.
Do not implement this Epic until Identity has the change in progress, since it needs to be approved by Product Security first.
Existing functionality should not break
This should be an optional feature (customers can turn it on or off)
Validation should be rejected if the token is invalid/expired
The rate limit response code should be configurable (413 or 429 are the only codes allowed)
When self token validation is turned off we should continue to return a 503)
Information Needed for REP-2185:
What is the behavior of Identity if the customer token being self-validated is expired. Is it the same response as an admin token? Our assumption is an admin token will return a 404 from Identity and Repose response will respond 403.
For a self validating token expired, what's the behavior? Kari emailed Identity 5/5.