We are implementing a single page application (spa) that is used by our admins to configure our system. There are two roles, “super admins” and “normal admins”. The “normal admins” should only be able to create or delete users that have the same role and that have the same custom id as metadata.
We are wondering now whether the spa can directly use the management api to provide the described services or whether we need to implement an api, which the spa uses to interact with the management api. We would prefer to let the spa interact directly with the management api, but we fear that using scopes is not enough. Is it somehow possible to prevent users from calling management api methods based on the sent arguments without implementing a custom api?
Welcome to the Community! I apologize for the delayed response.
Your SPA will not be able to (and should not) request a token for the management API. The management API tokens are scoped based broadly, e.g. read:users, update:users, etc. and don’t have the granular functionality that would allow a regular admin to only make updates on that role and sub-roles. Any user could inspect the client, grab the token, and make requests via curl or otherwise.
You will need to build this out in a proxy API, that parses the request and limits what calls can be made to the management API based on the role type. If you decide to create a proxy API, when you request it you can have the user’s roll added to the access token and limit calls based on that claim.