How to identify access tokens generated by the same refresh token?

massimoalbarello · April 9, 2025, 3:33pm

The problem with the session id is that it is not necessarily unique across different authorizations (if a user authorizes twice without logging out in between, both authorizations would get the same session id).

From what I found, the event.refresh_token.id is the only value that can actually be used to distinguish two authorizations. Is there a way for me to access the event.refresh_token.id during the oidc-basic-profile action?

Alternatively, is there another action that can be triggered after exchange authorization code for access token so that in there I might be able to both write a custom claim onto the access token and read the id of the refresh token?

Thanks again

Topic		Replies	Views
Persistent custom claims in Access Token when using Refresh Tokens Get Help extensibility , actions-extensibility	3	1402	December 22, 2023
Make refresh_token.id available during `oidc-basic-profile` of post-login action Product Feedback	1	33	April 30, 2025
How to Persist MFA Verification Status in Access Token During Refresh Token Exchange in Auth0 Actions? Get Help mfa , mfa-prompt-new-experience	2	21	July 17, 2025
Update Access Token custom claims with Refresh Token Get Help refresh-tokens , custom-claims , claims	6	4655	October 7, 2022
OAuth for generating Management API tokens Get Help api , management-api , oauth , refresh-tokens , tokens	3	4200	March 2, 2018

How to identify access tokens generated by the same refresh token?

Related topics