In cases where we have a REST servlet (in database) that is using a 3rd party authorisation mechanism to validate tokens/apikeys, it would be nice if the servlet could create a new <user> session (instead of running as anonymous or as the code signer). This would enable us to link specific apikey identities to Domino web user accounts.
The newly created <user> session can then be used to open application database(s), views, documents etc. and thereby allowing all built in security functionality (database ACLs, reader/author fields, etc.) to be applied. Fields such as $UpdatedBy etc. would also then use the effective Domino web user name, etc.
Alternatively, if creating a new session for a specific <user> is not possible, would it be possible to offer an "as user" option when opening a database so that the <users> ACL permissions in the database are enforced instead of anonymous or the code signers?
Obviously the ID that signs the application design elements would need an applicable privilege/right (via the server document security settings) to be able to do this (like "run as user").