I am using device authentication code flow and I’d like to access which audience the client tries to access.
The audience is set while doing POST request to https://<MY_DOMAIN>/oauth/device/code. However, when user authenticated himself, the context in the rule is missing the audience. Specifically,
both context.request.query and context.request.body are empty. And, afaik, the rules are only executed for user authentication so no rule will be executed for post request mentioned above (since it just returns a link for user to authenticate).
auth0 sets this audience to accessToken in the end, maybe it could be available somewhere?
The client code is untrusted and I want to make sure that created access token has right audience set. So for a particular auth0 application, I just want to allow to create an access token for a specific protected resource (audience).
I see. I wasn’t able to find a way to get the audience in rules.
Typically in this type of situation where a user is represented by a public client, you would utilize some sort of role-based access control, vs a machine to machine connection where the machine requesting the token is given strict permissions.
I would suggest looking into the RBAC Core if you are open to doing it this way.