OAuth 2 Company -> Employee Hierarchy

Question

I am working on setting up OAuth 2 for our next API. The intended use is to allow other software to interact with our API. The problem I am facing is deciding how to allow one user (admin) to setup the integration by approving the application, but then allowing all of the users in the other software to perform actions in our software while still tracking the user that is performing the action. I am contemplating using a header or a parameter that they would set signifying the user performing the action.

Do you have any examples of a setup similar to this or optimizations that could be made to allow tracking user's and actions performed without making each user setup OAuth?

Answer 1

If you want to use your OAuth2 server as a user permission store for authorization opposed to permission delegation (as when an app uses the Google OAuth2 access token to perform actions on behalf of its user), you will probably want all permissions of a user to be included in the issued access tokens (not only those specifically requested by an application that initiated the authentication/authorization process). How to configure it is beyond the scope of OAuth2 specification and it's specific to each implementation.

When some application calls your API, you should get an access token in Authorization: Bearer accessTokenValue HTTP request header. You must validate this token, extract its permissions and you can also get info about the user the token was issued for. This can be performed at the OAuth2 introspection endpoint. For more info, see

• https://www.rfc-editor.org/rfc/rfc7662
• https://connect2id.com/products/server/docs/api/token-introspection

I don't know how you want to track user actions, so I hope the info above covers some of your questions.