How (or does) ID token get updated in SPA silent authorization flow?

Is the protocol for silently obtaining Access-Token in SPA while a user session in the `Authorization Server is still active - Triggers a call to get updated user claims/roles from whichever social connection/database the user authenticated with?

If not, how should I get the updated information with accurate claims/roles?

Yes, it should return the current information for the user.

As documented here, Silent Authentication within a SPA calls the /authorize endpoint which returns a new token.

I’ve tested this with a React SPA and indeed if you modify the active user’s roles you’ll see the changes after reauthentication (silent or otherwise).

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.