I am aiming to design an API that supports actions originating from both users and from clients. As an example, a user being assigned to a task.
- A user access token (user identified by the ‘sub’ claim) may assign a task to themselves.
- A machine (user identified in some other way, header? request field?) may assign a task to a user.
I would like to ask what a common approach to a problem like this. I see two potential options:
- Have a second API that the user access token may be used for. Have this then call the API using a M2M token with the user context.
- Conditional logic to validate permissions based on the grant type, and act accordingly.
There may be another, better option that I haven’t considered.