When a user logs in to our iOS app for the first time, the JWT access token does not contain any permissions until the second time they login.
From what I have read so far, it seems this is because the Auth0 actions have not fully completed by the time we receive the first access token on the frontend (iOS App).
I notice React or SPA web apps can resolve this easily via the Auth0 SDK by using a getTokenSilently function, however we don’t have something similar in the iOS SDK.
The solution we are considering is if the user’s permissions are empty, we make a request to renew a refresh token, which then contains the permissions we need because the Auth0 actions have completed.
Is there a better way of going about this? Are there any inherent risks to enabling refresh tokens (they are currently disabled) I might not be aware of?
Is it true the only way to receive a refresh token from the /token endpoint is to enable Allow Offline Access in the API Manager?
We use Microsoft Active Directory for validating users
Are you attempting something like is outlined in this FAQ to add roles/permission to a user’s token? Which type of Action are you using?
Refresh tokens are encouraged for native mobile apps and are considered a safe approach to improving the user experience. I recommend checking out both this article as well as this blog post to learn more.
That is correct - The only way a refresh token will be granted is if the offline_access scope is included in the authorize request.