How to detect changes in Access Token (added via Rules)

sympi · March 23, 2022, 10:32pm

I am renewing Access Token once it expires (8 hours in my case).

The problem is that I save some things in Access Token. Using Rules I am adding “roles” to it like this:

  context.accessToken[namespace + '/roles'] = context.authorization.roles;

This way, in my app I can display appropriate UI based on the role the user has, which is great.

The problem is that once I add/delete a role to the user, they have to sign out and sign in again to regenerate a new access token so that the UI gets updated.

Is there a way to detect changes to the data added using rules and based on that sign out user or regenerate a new access token?

rueben.tiow · March 23, 2022, 11:18pm

Hi @sympi,

Thanks for reaching out to the Auth0 Community!

Before we proceed, could you please clarify how you are adding and deleting the user’s Roles?

And could you please clarify if you are changing them after the user has logged in?

Thank you.

sympi · March 24, 2022, 7:40am

Hi @rueben.tiow

And could you please clarify if you are changing them after the user has logged in?

Yes, I can change them at any point in time, even if user is already logged in.

Before we proceed, could you please clarify how you are adding and deleting the user’s Roles?

I do it through Dashboard → Users → User → Roles → here I can remove or assign a role

rueben.tiow · March 24, 2022, 10:57pm

Hi @sympi,

Thank you for your response and clarification.

Generally, when updating a user before they log in, the user profile information should reflect correctly after the login transaction is complete. This is expected when decoding the access token of the user.

On the contrary, when updating a user post login, the user profile information will not reflect the newly updated information since the decoded token holds information up until the login transaction.

As you observed, you will need to refresh the access tokens to read the newly updated user profile details.

There are a couple of options.

Configure Silent Authentication to leverage the use of refresh tokens in getting a new access token without prompting the user for credentials again or having them log out and log in again.

or

Calling the Management API Get a User endpoint to get the latest user profile.

By doing so, you can guarantee the latest user profile data.

I hope that helps!

Please let me know if you need further clarification or have any questions.

Thank you.

Topic		Replies	Views
Auth0 update access token on assigning new permission to user role Help auth0 , management-api , roles , permissions	5	6984	September 2, 2019
Updating permissions in the access token Help roles , access-token , permissions , token-expiration	5	6201	April 20, 2019
Updated user roles in user info api Help configuration , application	4	11	November 19, 2024
What is the best practice of getting noticed when roles of users are changed Help role	2	2606	July 15, 2021
Beginner Question on Logins / User Roles Help login	6	3225	August 19, 2021

How to detect changes in Access Token (added via Rules)

Related topics