If some resource on a RESTful api is to be protected, we can do it by using OAuth for example, and then if the there's no token on the headers of the request (i.e. no identity) we return a 401 status code, and if there is we return some representation.
My doubt is the following: considering the identity of who is requesting the resource (specifically I'm thinking about using claims based identity), is it ok to return a resource representation that changes with the identity?
So for example, for a request from someone with a certain set of claims we return one representation containing some set of data and some set of links. If the request is from someone with another set of clains, the set of data changes and so the links. If someone has no identity whatsoever, we return even another representation. So basically we are controlling who can see and can do what with each resource.
Is that something useful to do, or there's some problem with it that I'm not seeing?
1 Answer 1
There is nothing wrong in doing that. Imagine a list of messages which are shown to some groups of users only: one person would see a specific response, another one will see more messages; an administrator will probably see every possible message; a guest won't see anything.
You should be careful though. If the form of the response changes radically and there are too many different representations of the same resource, it may be overly complicate to build a client for such API, since the client would have to handle all those different representations and be able, somehow, to detect which representation is used right now (hopefully it can rely on the HTTP response code).