Consider the following Web Account API request:
GET www.examples.org/api/webaccounts
A user will discover that this API request will only list their own web account. For example, if I am authenticated as the test user when making the request, the response will only contain the test web account:
{ "_embedded":{ "webaccounts":[ { "name":"Test Account", "_links":{ "self":{ "href":"https://www.examples.org/api/webaccounts/test" } } } ] }, "_links":{ "self":{ "href":"https://www.examples.org/api/webaccounts" }, "apiEntryPoint":{ "href":"https://www.examples.org/api" } } }
This might lead one to ask why the other web accounts aren't listed. The reason is because the SRP HTTP Framework doesn't include a way to authorize one web account has having more permissions than another web account. Since all web accounts are equal with regard to the Web Accounts API, the API logic will prevent one user from having access to another user's web account data.
The built-in authentication framework is extensible so a developer could update it to support simple or complex authorization. For full SRP FrameWorks developers, the web accounts module could be merged into the the security framework and thus provide a rich foundation for authentication and authorization in one unified package.