Problem statement
Due to an internal policy, when we integrate our services with third parties we need to inspect the /oauth/token request with Rules/Actions because we need to validate any additional values being sent in the requests for access tokens.
With authorization code flow, we see Actions running after the /authorize request, but is there a way to have a certain Action or Rule run only during the code exchange at the /oauth/token endpoint?
Solution
In the authorization code flow, the application makes two API calls to Auth0 – the GET /authorize request and POST /oauth/token request.
The Actions / Rules are only executed while processing the GET /authorize request. The logic behind this behavior is, the POST /oauth/token request is only used to exchange the authorization code for tokens, no extra authorization/profile enrichment/etc (aka the things that the rules do) is supposed to happen in this process. So it is not possible to inspect the parameters in the /oauth/token request in the authorization code flow from any of the Auth0 extensibility points (e.g. Rules, Hooks, Actions).
An alternative solution could be the custom domain with self-managed certificate:
With the custom domain of self-managed certificate, you will use your own reverse proxy to forward all the requests to your Auth0 tenant, allowing you to inspect any requests’ content.