REST authorization security question

danyo · October 3, 2022, 9:26pm

Using oauth claims based authz with scopes, how best to secure an endpoint /customers/123 so if im an admin, i can get any customer, but if im an area manager, i can only load customers in my area.

doesnt feel right to create multiple scopes read:customers, read:customers-all

Also doesnt feel right to create different endpoint, secured by different scopes
/customers/123
/area-managers/abc/customers/123

danyo · October 3, 2022, 9:31pm

Just to elaborate, there could also be a scenario where a customer can access their own information too.

john.gateley · October 4, 2022, 1:19pm

Hi @danyo

Check out Fine Grained Authorization:

John

danyo · October 11, 2022, 9:08pm

Thank you. ill have a look and get back to you.
Cheers and thanks for your response

Topic		Replies	Views
Question about API security and preventing user from accessing another user's data Help apis , application	3	291	March 29, 2024
How to secure API endpoints? Help	2	1375	October 28, 2022
Auth0 Fine Grained Authorization: Developer Community Preview Release Blog Discussions	6	3015	May 18, 2022
Auth0 Fine Grained Authorization: Dev Community Preview Release! Announcements auth0 , community , developers , fine-grained-auth , preview	1	3400	January 15, 2022
Assigning permissions (scopes) to different API endpoints for different types of users Help scopes , permissions	2	2971	December 2, 2020

REST authorization security question

Related Topics