The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

MacFlecknoe (22) [Avatar] Offline
#1
I would like to better understand how propagating anOAuth2 access token would work.

In my experience, propagating the users token to downstream services doesn't work for one major reason: the service invoking the downstream service often needs privileged access to data that the end user would never have permission to view him/herself.

Imaging a credit card service that needs to pull the users credit score as well as invoke potentially sensitive and proprietary rules to determine if a user is eligible for a company's "platinum card".

For this reason, services themselves need to have permissions granted to them that are different from the user; these services use their own credentials when invoking downstream services.

So:

user---(user token)--->service A---(service token)--->service B

Service A would assume the responsibility for returning only the information the user should see, so the filtering of sensitive data happens there after it has been used for processing. This makes sense as Service A is the service responsible for returning information to the user.

My question is: am i reading this wrong? And if not, how does the author account for the complexities I have described?