Page History
Consider the following Web Account API request:
GET www.examples.org/api/webaccounts
The user making the A user will discover that this API request will only see list their own web account listed. For example, if I am authenticated as the test user when making the request, the response will only contain the test web account:
| Code Block | |
|---|---|
| |
| |
{
"_embedded":{
"webaccounts":[
{
"name":"Test Account",
"_links":{
"self":{
"href":"https://www.examples.org/api/webaccounts/test"
}
}
}
]
},
"_links":{
"self":{
"href":"https://www.examples.org/api/webaccounts"
},
"apiEntryPoint":{
"href":"https://www.examples.org/api"
}
}
} |
This might lead one to ask why the other web accounts aren't listed. The reason is because the SRP HTTP Framework doesn't include a way to authorize one web account has having more permissions than another web account. Since all web accounts are equal with regard to the Web Accounts API, the API logic will prevent one user from having access to another user's web account data.
A developer could update the The built-in authentication (web account) framework framework is extensible so a developer could update it to support simple or complex authorization. For full SRP FrameWorks developers, the web accounts module could be merged into the the security framework and thus provide a rich foundation for authentication and authorization in one unified package.
