Hi, is the Credentials Exchange action triggered when a OIDC SPA user requests an API key (not machine to machine)? In the old rules flow docs this was given as a way to prevent certain apps from accessing an API.
If not, what is the current recommendation for prevent an entire SPA app from using an OIDC token to gain a specific API token?
Thanks!
Hi @abaumgartner,
Thanks for your question.
The client credentials exchange action triggers when there is a client credentials grant flow request.
So, in the situation with your SPA, it’s not possible to perform the client credentials grant flow because SPAs are public clients and cannot securely store secrets.
As a result, the client credentials exchange action won’t be triggered. Only the post-login action will be triggered here.
If you need to prevent certain apps from accessing an API, you could try using a post-login action script.
For example:
exports.onExecutePostLogin = async (event, api) => {
if (event.client.name === "My SPA" && event.request.query.audience === "Your API Identifier") {
api.access.deny(`Access to ${event.client.name} is not allowed.`);
}
};
(Reference: Post-Login Action)
Let me know if you have any questions.
Thanks,
Rueben
Thanks, so the post login action will trigger every time an API key is requested? Just want to confirm because I would have assumed the event only fired once after a login etc.
Thanks again,
-Andy
Hi @abaumgartner,
Thanks for the reply.
Yes, that’s correct. The post-login action script will trigger every time you call your API using the authorization code flow.
If you use an M2M app to call your API, then it will trigger the client credentials exchange action.
Best,
Rueben