Action on M2M Resource Owner Password Grant

techwolf12 · April 2, 2024, 3:23pm

Hi,

I am trying to write an action for limiting logins to a resource owner password grant, I’ve created an action on M2M flow:

const passwordGrantTestUsers = ["user@example.com"]
exports.onExecuteCredentialsExchange = async (event, api) => {
  if (event.request.body.grant_type === "password") {
    if (passwordGrantTestUsers.indexOf(event.request.body.username) === -1) {
      api.access.deny('invalid_request', "Not a test account on a test client");
    }
  }
};

However, this never seems to run?

My tenant is a test one: testwolf.eu.auth0.com

Could use some insight on this.

rueben.tiow · April 2, 2024, 7:45pm

Hi @techwolf12,

Welcome to the Auth0 Community!

Yes, what you observed is expected. The M2M Action flow only runs for the client credentials flow. And because you are trying to use resource owner password grant flow, the M2M action script won’t run.

In this case, you will need to use the Post Login Action flow instead.

Let me know if you have any questions.

Thanks,
Rueben

techwolf12 · April 2, 2024, 8:33pm

Thanks for the info!

Managed to get it working with the following:

const passwordGrantTestUsers = ["user@example.com"]
exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction.protocol === "oauth2-resource-owner" || event.transaction.protocol === "oauth2-password") {
    if (passwordGrantTestUsers.indexOf(event.user.email) === -1) {
      api.access.deny('invalid_request', "Not a test account on a password grant client");
    }
  }
};

system · April 16, 2024, 8:33pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.