Consider the following API request:
GET www.examples.org/api/webaccounts
The user making the request will only see their own web account listed. For example, if I am authenticated as the test user when making the request, the response will only contain the test web account:
{
"_embedded":{
"webaccounts":[
{
"name":"Test Account",
"_links":{
"self":{
"href":"https://www.examples.org/api/webaccounts/test"
}
}
}
]
},
"_links":{
"self":{
"href":"https://www.examples.org/api/webaccounts"
},
"apiEntryPoint":{
"href":"https://www.examples.org/api"
}
}
}
This might lead one to ask why the other web accounts aren't listed. The reason is because the SRP HTTP Framework doesn't include a way to authorize one web account has having more permissions than another web account. Since all web accounts are equal with regard to the Web Accounts API, the API logic will prevent one user from having access to another user's web account data.
A developer could update the built-in authentication (web account) framework to support simple or complex authorization.
