X-OAA-USER-IDENTITY token received from /webServices/tunnel for information about the user having called the web service.
In order to prevent spoofing,
X-OAA-USER-IDENTITY tokes are bound to the service they were issued for. This is achieved by comparing your
webService URL with the
webService URL the token was issued for before returning the validated user identity. If an attacker calls your web service with a spoofed token from another service, the user identity validation fails which in turn prevents your web service from revealing sensitive user specific information to the attacker.