Today we use Azure AD as the OAuth provider with application registrations representing APIs, Web apps etc.
Users are granted access to web apps and/or APIs in order for them to use them.
When using the authorization code flow for web apps…
If the user lacks access to the web app, they will not be presented with an error message stating so.
If the user tries to request an access token for an API they will get an access token with an audience claim for the directory itself and not the API.
APIs or API Management validates incoming API calls by matching the audience claim against the expected and possibly roles/scopes for more granularity when needed.
What I’ve observed so far while evaluating Auth0 is that there’s nothing stopping a user from using a web app without explicit access. Ideally they should be redirected to an error.
Access tokens will contain an audience claim for the API (when requested) despite the user having no explicit access.
I most likely fail in my thinking somewhere but…
- Can I restrict access to the web apps by default unless users are provided with explicit access?
- Can I ensure issued access tokens doesn’t contain API audience claims unless users are provided with explicit access?