Device Flow rule oddities

I observe that device flow has some unusual behavior that breaks some assumptions when it comes to Auth0 rules. Some rules use the context.request object to obtain contextual information, but in device flow, the rule receives the request details of the ‘browser interaction’ stage of device flow, rather than the ‘device interaction’ stage. This means that much less information is available to the rule.

For example, consider Sample Use Cases: Deny access to anyone calling an API which varies its behavior based on audience. This rule doesn’t work with device flow.

For another example, the Account Linking Extension doesn’t work with device flow.

Meanwhile, I’d like to write a rule which adds some scopes based on the target audience, and I need device flow. Aside from using Authz Core, any other ideas? Thanks.

Hey there!

As Rules & Hooks are being fully deprecated soon, maybe you’re interested in finding out more how to achieve that with Actions?

As this topic is related to Rules - Hooks - Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!