I understand basics of OAuth but I am still unable to figure out implementation that I need for client authorization. Please help me to understand the right approach needed.
I have an API protected by OAuth currently using Access Code (Application flow grant type).
My API is like “/api/account/1233444” where 1233444 is account id and this returns account information.
All my Account IDs are sequential. So if the client uses another account id like 1233445, the API returns that account details. This is a security breach as the client should be allowed to access 1233444 only!!
How can I achieve Authorization in this case so that API returns only 1233444 account details for client A?
Scopes or Authorization Code grant type? If yes, how?
Thanks for your time