Our documentation doesn't yet explain well enough what it
means for a context to be "open" yet.
Here are some possible definitions:
1) There is an instance of IContext, and it has been associated
with sufficient config/policy such that it can conceivably represent a set of
DigitalSubjects.
2) Same as #1, but there is actual representation (meaning
the connection to the backing data has been established, and AuthN has taken
place)
If it's #2, we likely need a provision for handling
unsolicited closing of contexts. Meaning, the IdAS consumer does not call
closeContext, yet it moved to a non-open state because of a timeout, AuthN
change due to policy, network error, etc. I suppose we could just say
some exception (ContextClosedException) is thrown for any methods called
subsequent to these acts.
In any case, we should document whether "open"
means #1, #2, or something else.
#2 is what
I’ve always assumed. For many Contexts a Digital Identity (token) must be
passed in to the ‘open’ call, and for these at least AuthZ is parts
of the ‘open’ action.