REST authorization security question

danyo · October 3, 2022, 9:26pm

Using oauth claims based authz with scopes, how best to secure an endpoint /customers/123 so if im an admin, i can get any customer, but if im an area manager, i can only load customers in my area.

doesnt feel right to create multiple scopes read:customers, read:customers-all

Also doesnt feel right to create different endpoint, secured by different scopes
/customers/123
/area-managers/abc/customers/123

danyo · October 3, 2022, 9:31pm

Just to elaborate, there could also be a scenario where a customer can access their own information too.

john.gateley · October 4, 2022, 1:19pm

Hi @danyo

Check out Fine Grained Authorization:

John

danyo · October 11, 2022, 9:08pm

Thank you. ill have a look and get back to you.
Cheers and thanks for your response