REST authorization security question

Using oauth claims based authz with scopes, how best to secure an endpoint /customers/123 so if im an admin, i can get any customer, but if im an area manager, i can only load customers in my area.

doesnt feel right to create multiple scopes read:customers, read:customers-all

Also doesnt feel right to create different endpoint, secured by different scopes

Just to elaborate, there could also be a scenario where a customer can access their own information too.

Hi @danyo

Check out Fine Grained Authorization:


1 Like

Thank you. ill have a look and get back to you.
Cheers and thanks for your response

1 Like