I want to limit my audiences per client when going through code flow.
Right now I have multiple applications as well as multiple client. When I go through code flow I can include any API as an audience for my access token.
What I want to do is I want to limit my Application to have only be able to ask for one audience, so that when I go through code flow I will get unauthorized or bad request when I request wrong audience for that Application
We are fairly new to Auth0 provider and perhaps I am missing a setting somewhere.
Thank you for your suggestion. I am a little bit confused by this UI. This says Machine to Machine Application. In my case I will be going through code flow and not client_credentials.
It might that my explanation was a little bit off. I am going through grant flow and requesting tokens from specific application, also with request URL I pass autdience parameter. Audience is my APIs, so what I want to do is limit audience per applicatoin in code flow.
I understand your confusion, and it is good feedback. For now, this is the way to enable API access to your Machine-to-Machine and Regular Web Applications. Single Page Applications and Native Apps are excluded from this list since they do not require additional configuration.
Note that granting API access through this interface is separate from the grant type flows such as code or client_credentials as you described.
In this case, granting your regular web app API access will still allow you to call the API using the authorization code flow. In the request, you can specify the API identifier in the audience parameter.
And to reiterate, regular web applications will only receive an unauthorized error when trying to authorize with an API that they do not have access to.
Hoped this helps!
Please let me know if you have any further questions.