Within a SPA using Authorization Code Flow with PKCE, let’s say I create a rule to add some roles to my access-token so that my backend API doesn’t need to make a call to Auth0 with each request in order to retrieve the roles for the user.
Now let’s say that an employee calls his boss and asks for an extra privilege in the application, so the boss changes the employee’s role to give those privileges.
How do I get that new role into the employee’s access token without the employee needing to logout and log back in? (And will it update if the user logs out and back in?)
I’m guessing if the change is made in the Auth0 dashboard, there’s no way to do this. Let me know if I’m wrong; maybe there’s a rule hook to help.
On the other hand, let’s say the boss makes the change within the application and our backend API has some way of communicating back to the user’s SPA UI that it needs to update its token. Is there a way to force getTokenSilently() to retrieve a new token. It’s my understanding that getTokenSilently() will cache the token locally and only get a new token when the token becomes invalid (i.e. it expires). I believe the token with the old role will still be valid at this point, so getTokenSilently() won’t reach out for new token. Is there a flag that can be sent to force getTokenSilently() to get a new token? Or maybe there’s another way to force the auth0-spa-js sdk to get a new token?
We normally recommend that access token lifetimes be kept as short as is practical for your application, and use silent authentication to get new access tokens when the current one expires to avoid degrading the UX with additional login requests.
This way, when permissions are changed, they will only be out of sync for the lifetime of their access token.
Am I correct in the assumption that if the roles are not included in the access token, the backend API will need to use a management API token to call the management api to get the user’s roles?
Yes that is correct, if you need your API to be aware of the roles, and you have not added them to the token you will need to call the management API to fetch that information.
@sgo Thanks again for the reply. One final question…
Roles have permissions associated with them. So once the backend were to get the roles, would it then have to make yet another call to get the permissions?
Or is it typical skip getting the roles and go straight to getting the permissions (are Role permissions included in this call)?
Or is it typical to cache the roles & permissions on the backend API server to keep from having to make those requests with every API call.
@dedicatedmanagers - normally you would add the information to the access token, either:
a.) Add the user’s permissions to the access token using the “Add Permissions in the Access Token” toggle - Enable Role-Based Access Control for APIs
This will add an array to the access token listing all of the user’s permissions, but if you have a lot of permissions this may become problematic as the token size will increase
These are the normal ways to avoid having to make additional calls to the Management API, as the user should be presenting the access token with every API request anyway.