We have a rule that currently sets a custom claim as an id, and the value is generated within the rule.
We would like to actually pass this value into the signup flow securely. We understand that we can send the value via POST for /oauth/token (for email/password flows) and via GET to /authorize endpoint (for social/Authorization Code flow).
Collisions are not the issue. The goal is to keep the same id when an anonymous user signs up. But we don’t want malicious users trying to sign up with random or other people anonymous ID. That’s why the idea of the single-use short-lived jwt just to pass the utid to the sign-up flow.
I think the issue here lies in the fact that you are trying to validate something that was created in an untrusted public client. Without issuing the UTID(or JWT) from a trusted client like a backend API, I don’t think you will find a simple way to be sure it is genuine.
Just one more queston:
For social (Authorization Code) flows the rules run on the authorize endpoint, and for Resource Owner Password Grant flows (and OTP) on the oauth/token endpoint. Is this correct?
They run after successful authentication, which would be after a user submits credentials and they are authenticated, not specifically on a call to any endpoint.
Does that make sense? I find this graphic really helpful in visualizing where each piece of the puzzle sits.