Auth0 Home Blog Docs

How to do Authorization for an API protected with OAuth?

#1

Hi,
I understand basics of OAuth but I am still unable to figure out implementation that I need for client authorization. Please help me to understand the right approach needed.

Use Case:
I have an API protected by OAuth currently using Access Code (Application flow grant type).
My API is like “/api/account/1233444” where 1233444 is account id and this returns account information.
All my Account IDs are sequential. So if the client uses another account id like 1233445, the API returns that account details. This is a security breach as the client should be allowed to access 1233444 only!!

How can I achieve Authorization in this case so that API returns only 1233444 account details for client A?

Scopes or Authorization Code grant type? If yes, how?

Thanks for your time

Sanjay

#2

For your case, you should be using Authorization Code Grant flow. In Auth0 I think it is SSO for Regular Web Apps: Solution Overview

#3

Hey @mssanjay!

Yep the resources that @manjunath.narayana provided are absolutely helpful. I would go firstly to the latter one as it will guide you step by step how and why you should pick exact flow.