Scopes
To access the user settings endpoints, an access token issued by your IdentityServer implementation with the scope admin_ui_public.
This access token must have been issued on behalf of a user and contain a sub claim.
Authorization Rules
In order to use the user settings endpoints, the requesting user, must be the same as the users being updated. Otherwise, a 403 Forbidden will be returned.
This is matched using the sub claim issued within the requesting access token.