All of the platform's security is currently build around the rh-identity header. The scheduler will be running asynchronously so it will not have a "fresh" identity header when the jobs are kicked off.

The scheduler needs a way to verify that a user still exists and obtain a "fresh" identity header. We need to determine the right way to implement this.

The code currently reaches out to bop/mbop to verify the user exists, org-id matches, etc and then builds an identity header. This is for testing in ephemeral and stage until we finalize our approach.

The code is currently built to allow this mechanism to be changed out without to many changes (hopefully :crossfingers. The user verification/validation and identity header "retrieval" is pluggable.

Long term...I think the newly spec'd out gateway will allow us to do this using tx-tokens, but that isn't built yet.

Short term...we likely need to add a method (similar to "/internal/certauth") to the gateway to do this work for us.

Note to dehort: Read ADR-081