Hi, is the Credentials Exchange action triggered when a OIDC SPA user requests an API key (not machine to machine)? In the old rules flow docs this was given as a way to prevent certain apps from accessing an API.
If not, what is the current recommendation for prevent an entire SPA app from using an OIDC token to gain a specific API token?
So, in the situation with your SPA, it’s not possible to perform the client credentials grant flow because SPAs are public clients and cannot securely store secrets.
As a result, the client credentials exchange action won’t be triggered. Only the post-login action will be triggered here.
If you need to prevent certain apps from accessing an API, you could try using a post-login action script.
For example:
exports.onExecutePostLogin = async (event, api) => {
if (event.client.name === "My SPA" && event.request.query.audience === "Your API Identifier") {
api.access.deny(`Access to ${event.client.name} is not allowed.`);
}
};
Thanks, so the post login action will trigger every time an API key is requested? Just want to confirm because I would have assumed the event only fired once after a login etc.