Steps to reproduce

One of our services has a global disallow hook on the users service. This has worked fine in the past - we allow other services to call it, but nothing external should need to directly interact with the users service.

In v4, this gets an error because of a disallowed GET:

'Provider 'rest' can not call 'get'. (disallow)' stack='MethodNotAllowed: Provider 'rest' can not call 'get'. (disallow)

Looking at the jwt.ts code, I see:

    const result = await entityService.get(id, omit(params, 'provider'));

    if (!params.provider) {
      return result;
    }

    return entityService.get(id, { ...params, [entity]: result });  // <-- ??

Why does this code now pass the params to the (last) get call if a provider is present on the authentication call? This is somewhat antithetical to the whole idea of an auth service - if I'm authenticated the service is supposed to return a (filtered) user context back to the caller. (It also seems inefficient to be calling this twice for every external authentication)

As noted in the final comments on the PR that added this: #1320

Why isn't the entityService.get just calling with NO params to get the user details?

Expected behavior

I should not have to have a publicly available users GET for authentication to succeed

Actual behavior

Request fails :(

System configuration

4.0.0-pre.4 for all components
node 10.16
macos mojave