Disallow originating of client-side account linking

Hello.
There is an SPA. And user is able to initiate account linking from the client side. I know that in order to achieve this scopes ‘read:current_user update:current_user_identities’ should be added to Auth0 client. In such a case user is able to link authorized accounts.
I want to link accounts via back-end in order to apply additional checks/business logic. And because of this I want to restrict possibility to make client-side account linking at all for the specific app/clientId. As I understand to achieve this I need restrict scope ‘update:current_user_identities’ for users within the app. I there any way to do this? Currently I only see the solution with post-auth action and custom logic with removal of ‘update:current_user_identities’ scope depending on clientId in request. But may be Auth0 has more natural/elegant solution for such kind of cases like “define allowed scopes list for the app”?

Hi @evilandrui

Welcome to the Auth0 Community!

Thank you for posting your question. Unfortunately Auth0 doesn’t provide a built-in feature to define allowed scopes per application. Currently, your best option is to operate on the post-login/post-user-registration actions to restrict the scope for certain applications. I would encourage you to open a thread in the Feedback category, describing your feature request.

Thanks
Dawid

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.