One main problem with the /api/v4/user endpoint is that the permission needed is read_user which also gives permissions to read all users (/api/v4/users) also. This is kinda bad if the account doing the OAuth2 is an administrator account, because it is much more powerful.
Said differently: Support OIDC instead of "pure" OAuth2
One main problem with the
/api/v4/userendpoint is that the permission needed isread_userwhich also gives permissions to read all users (/api/v4/users) also. This is kinda bad if the account doing the OAuth2 is an administrator account, because it is much more powerful.Said differently: Support OIDC instead of "pure" OAuth2