Don't do token requests for "bad" AUTH methods
For IDTOKENS to work in promiscuous mode, you need an insecure authorization method (bootstrapping a secure method being the whole point of promiscuous mode). Our best practice for this is currently the ANONYMOUS authorization method. However, once the promiscuous-mode window closes, we should stop responding to token-management commands sent via the ANONYMOUS method.
We should probably never respond to token-management commands under CLAIMTOBE.
Luckily, we already check to make sure the reply stream is encrypted, so there’s a natural place to expand the set of checks we do.
CODE REVIEW: Looks good.
I agree with the conceptual design, have not had a chance to review yet.