I’m trying to setup the following use case:
Single Page App - ClientA
API - App A
- scope: PermissionA
- RBAC & include permissions enabled
User A - Permission: PermissionA
Flow - Code + pcke using providing SPA examples.
How can I get unauthorized when UserB tries to log in on ClientA and/or when ask a token to audience AppA?