Pretty simple question I think: is it possible, within a rule, to get ones hands on the access_token (JWT) that is going to be sent to the client (e.g. using the Implicit Flow?)
To make a long story short, there is a scenario where I am redirecting a user to a client other than the one they are intending to log into. This is a special ‘wizard client’ where we allow our users to migrate from a username to an email-based login.
So, I want to make this redirect ‘tamper proof’, and I had the idea: "I’ll pass along the JWT access_token in the redirect, so that the Wizard client can make use of it, and ensure that the human user does not try to ‘spoof’ the client by simply updating the URL ‘by hand’.
I discovered however that the “context.accessToken” object (available in a rule) isn’t the JWT however, it’s simply an object that contains key/value pairs containing any custom claims that are being added to the JWT that will be returned to the client that is logging in.
Is it possible for me to get to the ‘real JWT’ within a rule?