We have been encountering OAuth issues with our app whilst doing some testing.
The integration can be installed for the Super Admin user in the account, however, we could not OAuth the app with non-admin users in the account and get an "Uh oh!, You do not have the correct role..." error. (if this is by design it is not ideal for us as we would like each user to connect via the app and have their own token).
To continue the test, I changed a user to Super Admin and was able to connect the app. However, upon changing this user back to a basic non-admin, I can still connect the app. Additionally, the token for this user can be used to get all contacts in the account, even if the user does not have access to them.
What I would like to happen is: any user, whether admin or not can OAuth an app, but that token used with a get all contacts should only return the contacts that the user has access to. Is this possible, or are there methods/workarounds that I can use?
Thanks in advance.