I have two versions of an API: prod and dev. So I defined two separate API’s, clients and connections/realms. I need to use the password-realm grant to support some legacy functionality.
The problem is that if I have valid credentials from the dev realm, I can use the dev client and request a token for the prod audience. Then I can use that access_token to make requests to the prod API and the token will be validated.
How can I lock down the audience so that only users from the prod realm, using the prod client can request tokens for the prod audience?
When I go to API settings > Non-Interactive Clients I disable all the clients but that doesn’t have any effect on the password-realm grant.