Within a SPA using Authorization Code Flow with PKCE, let’s say I create a rule to add some roles to my access-token so that my backend API doesn’t need to make a call to Auth0 with each request in order to retrieve the roles for the user.
Now let’s say that an employee calls his boss and asks for an extra privilege in the application, so the boss changes the employee’s role to give those privileges.
How do I get that new role into the employee’s access token without the employee needing to logout and log back in? (And will it update if the user logs out and back in?)
I’m guessing if the change is made in the Auth0 dashboard, there’s no way to do this. Let me know if I’m wrong; maybe there’s a rule hook to help.
On the other hand, let’s say the boss makes the change within the application and our backend API has some way of communicating back to the user’s SPA UI that it needs to update its token. Is there a way to force
getTokenSilently() to retrieve a new token. It’s my understanding that
getTokenSilently() will cache the token locally and only get a new token when the token becomes invalid (i.e. it expires). I believe the token with the old role will still be valid at this point, so
getTokenSilently() won’t reach out for new token. Is there a flag that can be sent to force
getTokenSilently() to get a new token? Or maybe there’s another way to force the auth0-spa-js sdk to get a new token?