I have a question about RESTful APIs and security in a multi-tenant environment.
Imagine you have an endpoint: api/branches/:branchId/accounts/:accountId
Authentication is done through Bearer Tokens (oauth2). Each token includes a set of claims associated to the invoking user. A branchId
claim is included in the token, and each user belongs to a single branch.
The security restrictions are the following:
branchId
.The question is: which of the following solutions is correct?
api/branches/:branchId/accounts/:accountId
. And do the required security checks. api/accounts/:accountId
, obtain the branchId from the token, and then do the remaining security checks. The application is meant to be multi-tenant. Each branch is a tenant, and each user may only access the information associated with its single branch. Thanks!
I needed to make a decision fast, so I will be using solution 1. If anybody has an argument against or in favor please join the conversation.
Arguments in favor:
Arguments against:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With