How can I get unauthorized to user trying to get a token?


I’m trying to setup the following use case:

Single Page App - ClientA
API - App A

  • scope: PermissionA
  • RBAC & include permissions enabled

User A - Permission: PermissionA
User B

Flow - Code + pcke using providing SPA examples.

How can I get unauthorized when UserB tries to log in on ClientA and/or when ask a token to audience AppA?

The difference is that API tokens incorporate the user account in the access token while OAuth apps perform authorization without a user account. When you make a choice of using an API token or an OAuth app to make an API call, you must consider the specific requirements of the API service involved in the interaction.