With Machine-to-machine token, we need the ability to limit the scope issued in the token to be no more than what’s requested.
I found this solution using custom hook: Client credentials request ignores scope parameter?
However it looks like hooks are being deprecated. But when I try to do the same in actions
exports.onExecuteCredentialsExchange = async (event, api) => {
if(event.transaction.requested_scopes.length === 0) {
api.access.deny('invalid_request', "Scope missing in the request body.");
} else {
api.accessToken.setCustomClaim('scope', event.transaction.requested_scopes.join(' '))
}
};
I got an error of : The "scope" claim cannot be set.
How do you expect people to migrate from hooks to actions, when actions doesn’t provide the same capability?