Generic vs. User-Specific Tokens

When using the AIRisk API’s OAuth2 flow, you have the flexibility to obtain tokens that are (conceptually) either generic (not tied to any user) or user specific. The difference comes down to whether you supply the optional userid parameter in the flow:

1. Generic Access Tokens (Application-Only, not attached to particular ApplicationUser although retrieved using credentials from valid APIUser): If you do not include userid in the authorization and token requests, the resulting access_token represents your application itself, not any particular user. These tokens are useful for accessing endpoints or performing actions that are not user specific.

   • For example, accessing public data or using client-wide privileges. The token is still scoped to what your client application is allowed to do, but no specific user's data is directly implicated. In practical terms, when your app uses this token, the AIRisk API will see the request as coming from your application in a general context, only identifying the client by client_id which is tied to an APIUser in which may be used via arbitrary ApplicationUser instances.

     • In our case, one may access /api/Users/ListUsers if using a generic token as the bearer token in the HTTP headers. In this case, one may fetch the list of known user ids and then select one with which to further log in as.

2. User-Specific Access Tokens (On-Behalf-of User): If you do include a userid in the requests to /api/oauth2 and /api/api/oauth2/Token, the flow will produce a token associated with that user. This typically means the user has explicitly authorized your app to act on their behalf. The token carries the identity or context of the specified user. Use these tokens to access or modify data that the user has access to in the AIRisk API.

Important distinctions:

• A generic token might grant only limited, generic scope access, whereas a user token can grant permissions to read or write to database tables which they can access.

• You cannot use a generic token to access user-specific endpoints that require a user context. Similarly, a user-specific token only grants access to the scope of their existing access; you would need separate tokens for different users.

  • However, you may use an a user-specific access token to access any endpoints accessible via just a generic token.

• The userid parameter should be treated carefully. The user must correspond to an actual ApplicationUser in the AIRisk system, and the authorization server will not ensure that the person approving the request is that user, and therefore provides a means of impersonating other users. (In many OAuth systems, you don't manually specify the user – the user logs in themselves. AIRisk’s userid parameter might be used in scenarios where the user identity is known ahead of time or to streamline first-party integrations. Always follow AIRisk’s guidelines on how to obtain or use this parameter.)

• In summary, use a generic token when your app needs to perform application-level actions or maintenance tasks that aren't tied to a single user (such as listing available users). Use a user-specific token when your app is performing actions on behalf of a specific user, such as accessing that user's data or acting in their name within the AIRisk platform.