Somewhat related to Scopes, roles are another way to limit what an application is allowed to do on behalf of a user. But unlike scopes, it’s not related to a specific access token, but something that is required on a given endpoint. And something that the calling application is either configured to have or not. The user will never be presented with the concept of access roles.
In aID we have defined a set of roles that limit which applications are allowed to use which endpoints. Most endpoints are open to all, but some require special roles. This will be documented in the documentation for the endpoints that require roles.
How to use access roles
You basically don’t. When you call an endpoint, you call it as you would do normally. This will either work or not. If the endpoint requires a role, and your application doesn’t have it, the response from the server will be something like:
HTTP/1.1 403 Forbidden
Content-Type: application/json;charset=utf-8
{
"errors":[
{
"id":"5eac7c84-651a-48f8-b82c-1ef8233cade0",
"meta":{},
"code":"request.access.role.missing",
"status":"403",
"title":"Application does not have access to required role",
"detail":"This endpoint requires that the application has access to role=epaper_provider"
}
]
}
Here you can see that the endpoint requires the role epaper_provider, but your application does not have this role.
If you need an access role you don’t have, please contact aid.support@amedia.no and explain why you need it.
Currently implemented access roles
These are the access roles currently implemented in aID:
Title
Title
Label
Description
subscription_manager
Applications allowed to manage subscriptions, like adding subscriptions to users.
epaper_provider
Applications that provide ePaper services to users. (The endpoints used by the epaper providers are currently not part of our public API.)
user_consumer
Applications that are allowed to access user data without a valid access token for the user.
group_manager
Applications that are allowed to manage groups, like creating and updating groups.