When you make a call to a hosted service method you need to provide a user token to check caller permissions, which back endless does automatically.
However inside the call I want to use the identity, can I get the identity from the token used or am I going to need to have a have a userId parameter on every hosted call to identify the user. This user ID would need to remain protected from all other users in the system so that no one else can impersonate them, unless there is a way to resolve a user token back to a user account.
I was thinking that some users might be able to enumerate other users to share data, so protecting the userID might be difficult and not secure way of proving the callers identity.
Whats the back endless recommended way to do this?