I’m seeing strange behavior with the Authorization Extension’s Persistence feature between logins that happen via the Lock widget and logins that happen via a “Resource Owner Password” access_token
request.
When a user logs in via the Lock widget, the app_metadata
properly fills in with the authorization persistence settings ( groups
, roles
, permissions
), but after a POST /oauth/token
for that same user, only the groups
authorization settings remain in the app_metadata
. The roles
and permissions
values are emptied. Not until the user again logs in via the Lock widget do these values fill back in.
This was very much unexpected. Any ideas?