PDP should return a token when accepting a request
Currently the command handlers (PEP) accept the answer of the PDP (HTTP 200) without verifying that it comes from the PDP.
The PDP should instead send a verifiable expirable token (i.e. it has the signature of the PDP). This token can then be reused for a limited time by other services interacting with the PEP.
Edited by erbou