What is the typical best practice for associating a user with a customer account. For example, when the user logs in, they get back the access token. Within that access token, it will have scopes such as
crud:calendar. While i trust that this user has permission to now perform CRUD operations on the calendar, I only want to allow them to perform CRUD operations on the calendar that is associated to their account.
What would be the general best practice for doing this? I could add customer account id to the scope…But I want to get what the general best practice would be.