Security Best Practices for Users API?


#1

Hi,

We’re in the final stages on migrating from Stormpath which we used in part as a user profiles database for our old app. We are looking to migrate to Okta and are pleased with the flexibility of the users API endpoints: https://developer.okta.com/docs/api/resources/users.html#users-api

However, I can’t find anything about best practices in the docs, particularly around security. We have a use case where on the frontend of our application, a user can go to their profile and say update their email address. We see this endpoint: https://developer.okta.com/docs/api/resources/users.html#update-user which updates by user ID. We also want anyone to be able to sign up and create a profile on our site. So the problem is, if we did all of this on the frontend of our app, someone would be able to swipe the API token and potentially query other services or modify other users with that token.

Should we build a backend wrapper service around the Okta users API to prevent this kind of thing? Also, I’m wondering if/how the users API can integrate with the authentication API, so that we can make sure a user can only edit their own profile.

Any help is appreciated. Thank you


#2

Hi there! Generally speaking, authorization (separate from authentication) should be handled by your code. Okta can certainly help with this, for example by allowing you to add custom scopes to access tokens that your server can use to make decisions. Hope this helps!