I observe that device flow has some unusual behavior that breaks some assumptions when it comes to Auth0 rules. Some rules use the context.request
object to obtain contextual information, but in device flow, the rule receives the request details of the ‘browser interaction’ stage of device flow, rather than the ‘device interaction’ stage. This means that much less information is available to the rule.
For example, consider Sample Use Cases: Deny access to anyone calling an API which varies its behavior based on audience
. This rule doesn’t work with device flow.
For another example, the Account Linking Extension doesn’t work with device flow.
Meanwhile, I’d like to write a rule which adds some scopes based on the target audience, and I need device flow. Aside from using Authz Core, any other ideas? Thanks.