|
|
|
|
|
|
by tofflos
3261 days ago
|
|
|
I think this is an interesting security consideration but I would prefer implicit identity for the following reasons: If the API is meant to be consumed by machines then it's unlikely that CSRF would be a threat. CSRF controls are more likely to be provided out of the box by a framework. Authorization controls are often tightly coupled to the business domain and are less likely to be usable out of the box. If you need to support a scenario where administrators perform tasks on behalf of other users, then I would suggest evaluating whether a sudo-like mechanism could be viable solution. |
|
|