I am trying to write an action for limiting logins to a resource owner password grant, I’ve created an action on M2M flow:
const passwordGrantTestUsers = ["user@example.com"]
exports.onExecuteCredentialsExchange = async (event, api) => {
if (event.request.body.grant_type === "password") {
if (passwordGrantTestUsers.indexOf(event.request.body.username) === -1) {
api.access.deny('invalid_request', "Not a test account on a test client");
}
}
};
Yes, what you observed is expected. The M2M Action flow only runs for the client credentials flow. And because you are trying to use resource owner password grant flow, the M2M action script won’t run.
In this case, you will need to use the Post Login Action flow instead.