Comment by gbalduzzi

User identity attached is not a solution, it doesn't solve anything if you have to pull in external data that you can't control.

Like in the banking world, you can make everything super authenticated, but if you have an API that receives the latest wire transfer YOU received with the message attached, you don't control the message content and it can be an attack vector.

Being authenticated/authorized is not the solution, it is data that the user can access.