I am working on one of my first OAuth solutions, using a pre-installed Visual Studio solution.
My authentication works fine, and when a client calls
/token, they get a bearer token and all is fine. This token is a "user level" token, which you can see on every request to the server. This means I can add
[Authorize] on those endpoints only the user should access.
However, at the same time, I also want my server applications to have "full access rights". They need to be able to get lists accross multiple users, delete things and so forth.
Here comes my questions, which I assume can be answered together very easily:
- How do you manage both short lived tokens (bearer tokens?) together with permanent tokens (API tokens?)
- How do I differ on access levels, so some methods require the permanent token?
- How do I differ on access levels in the same method (ie. typical GET methods, where a user only should get "his items" while an admin token can get "all")
Probably super simple - and most likely I just don't know what keywords to search on Google!