Allowing Specific Client and Audience to Access API

travis.evers · June 4, 2024, 9:45pm

Overview

This article addresses the following question:

Is there a way to control custom API accessible to only certain Clients and Audiences?

Solution

It is possible to enforce with a Login Action. For example:

exports.onExecutePostLogin = async (event, api) => {

const client = event?.client?.client_id;
const audience = event?.resource_server?.identifier;
if (audience === '[https://restricted-api.api'](https://restricted-api.api'/);) {
if ( !(client === '[CLIENT_ID]') ) {
return api.access.deny("This API can only be accessed by another client");
}
}
};

This code will check if the audience matches the client_id (application), and if it does not, it will prevent the user from logging in.

Topic		Replies	Views
Restrict API to a Specific Organization Knowledge Articles api , multiple-organizations , restrict	1	39	July 16, 2024
Restrict authorization request by Audience? Help oidc , audience	2	5446	March 2, 2018
Restrict first-party clients to specific APIs Help access-token , api-authorization , multiple-clients , apis , authorization-polici	2	4438	August 27, 2019
Preventing a user belonging to a group to access an application Help user-profile , user-management	4	964	May 8, 2023
Can I block user from log in all apps but one? Help auth0 , api , management-api , users , login , access-token	3	2968	June 1, 2022

Allowing Specific Client and Audience to Access API

Overview

Solution

Related topics