I am using a Custom Database connection for user login. At the time of login, I generate an Access Token with custom claims, which are fetched from my Custom DB during the login script. Users are able to log in and use the application successfully with those claims.
Issue:
After login, based on user interactions/selections, we update those custom claims in our database using our backend API. However, when we try to refresh the Access Token, the updated claims are not reflected — the old claims are still returned. The new claims only appear if the user logs out and logs back in.
Expected Behavior:
We want to be able to refresh the token and get the latest claims (from DB), without forcing the user to logout and login again.
I have just tested appending custom claims in a regular login and a refresh token flow. In both cases, I could get the updated custom claims in my access tokens, which I verified by decoding the tokens and checking my logs. However, in my tests, I used a regular database instead of a custom database.
I suspect what might be happening is that the changes you’ve made in your custom DB are not being updated in the Auth0 because these updates can only occur once the user logs in again. When that happens, it triggers the custom DB scripts to get the user’s new information. Unfortunately, refresh tokens do not trigger any custom DB scripts, hence the behavior you observed.
In such scenarios, you might consider migrating your users from your custom DB into Auth0. This way, the changes you make to the user profile will not require a sync, as it does when using custom DBs. Then, when performing a refresh token exchange for an access token, the claims would be updated.