API - allow users access to only data they created

Question

This is an API related question that applies to the APIs that I'm working on and would like to know the standard way of doing this.

say a user1 has created accounts so he can access it by GET /accounts

but when he accesses transactions for a particular account GET /accounts/acct1/transactions

how would this API know that the acct1 actually belongs to that user1 and is not the case where user2 is accessing user1's accounts.

This api is accessed via a Mobile app using Oauth 2.0 tokens. So while the access token control the access to API endpoints, how do we control access to only specific user's data at that endpoint. (using scopes?)

I've been looking at Spotify's apis and they seem to be doing this via v1/me end point.. Still reading...

I'm a noob at this and it looks to me that this should be documented somewhere in a standard manner in some RFC, but I couldn't find it and would appreciate direction

Answer 1

Can you provide more details on your use case? Why are you using OAuth?

It sounds like you need an authentication protocol - i.e. a protocol to let your server know who is accessing a particular API.

To quote the OAuth website:

OAuth 2.0 is not an authentication protocol

OAuth's main use-case is letting one application perform operations on behalf of a user of another application.

As an example, if your server wants to post a message on Facebook on behalf of a user, you will use OAuth to obtain a token from Facebook which lets you post messages on behalf of the user. Note that, in the most general case, your application does not know which user is represented by the token. Indeed, the user may not even be a (registered) user of your application - they only have to be a user of Facebook.

Practically speaking, you often can use the token you have to query Facebook for the identity of the user. So your server would extract the OAuth token from the request headers and use it to issue a query to Facebook's Graph API to obtain the user ID.

Note that the user is a Facebook user rather than a user of your app, so you will need to somehow map the Facebook user ID to your own users and permission system - i.e. check your database to ensure that the user has permissions to do what they asked to do.

This is the mechanism that is typically used when using OAuth like an authentication protocol (which, as quoted above, it is not).

I should add that if your app obtains an OAuth token and passes it to your server for the purposes of authentication, then this flow is not 100% secure, as discussed for example here, so make sure you do proper risk analysis for your case. In a nutshell, a determined attacker can theoretically impersonate your app and obtain tokens representing other users.