What is best practice for handling partial authorization in APIs

Question

After reading a few posts about best practices in APIs, I still have an unanswered question :

• Assuming I have a user requesting to read objects with IDs [1,2,3,4,5]
• Assuming this user is authorized to read [1,2,3] but not [4,5]

Should the API respond with :

1. A (Edited, correction, not 401:) 403 Forbidden error code, denying the whole request

or

2. The datas of objects with IDs [1,2,3] and deny read access to [4,5]

Answer 1

After reading a few posts about best practices in APIs, I still have an unanswered question :

• Assuming I have a user requesting to read objects with IDs [1,2,3,4,5]
• Assuming this user is authorized to read [1,2,3] but not [4,5]

Should the API respond with :

1. A 401 Unauthorized error code, denying the whole request

No. HTTP 401 is about not being able to authenticate (yes in spite of the name). You would return (if at all) HTTP 403. But in this case, given you did authenticate to the endpoint and given you are indeed allowed to view some of the elements, I would not return that.

or

2. The datas of objects with IDs [1,2,3] and deny read access to [4,5]

Yes. I would return what the user can see. More specifically, I am thinking that you have an API along the lines of

/api/items/{itemid}

Where an HTTP GET to /api/items would return the entire list of items the user can view i.e. items 1, 2, and 3.

An HTTP GET to /api/items/1 would return the item. An HTTP GET to /api/items/4 could either return HTTP 403 (you do not have the right to view the item) or HTTP 404 (item not found in the case where you do not even want to reveal the existence of the file).

How would authorization be determined? Is it just an ACL? RBAC? ABAC? If the latter, look into XACML as a means to write authorization policies to control your APIs.