Assigning permissions (scopes) to different API endpoints for different types of users

ahsath · November 17, 2020, 12:58am

Howdy folks,

Imagine I’ve got two endpoints:

1. /users
2. /users/{userId}

these permissions (scopes):

1. create:users
2. update:users

and this custom access token claim:

{
  "https://example.com/admin": true
}

Now, each user should be able to update his own data at the second endpoint and obviously for that he also needs the second scope right?

An admin on the other hand needs both scopes to operate in both endpoints with the addition of the custom admin claim.

I guess my question is, does reusing scopes across different types of users is a good practice? isn’t even meaningful call them update:users (plural) when is in the context of a regular user instead of an admin?

Or should I create different permissions for essentially the same thing in plural and singular and arrange them in roles?

john.gateley · November 17, 2020, 2:35pm

Hi @ahsath

This seems fine to me. To be clear:

User A is not an admin and has the update:users scope. They are allowed to update users, but because they don’t have the admin claim they can only update their user.

User B is an admin, they have the update:users scope. They are allowed to update any user.

John

system · December 2, 2020, 2:35pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.