How to silently re-authenticate a client to a new audience

We have a released app in the market and is authenticated using:

const credentials = await auth0.webAuth.authorize({
        scope,
        audience,
        connection,
      });

The issue is that the audience were apparently set to:

"aud": [
    "MANAGEMENT_API_IDENTIFIER",
    "https://my-domain.auth0.com/userinfo"
  ],

We have never used Roles+Permissions before so this has never been an issue on our backend. But now we need to use Permissions and therefore we created a new API in the Auth Dashboard and replaced the MANAGEMENT_API_IDENTIFIER with our new API in the audience.

We do not want all of our users to sign in again once we release the new client, so how can we get a new access token or re-authenticate silently but to our new API audience instead?

Hi @simon.radinn.com,

Welcome to the Auth0 Community!

I understand that you want to know if changing the audience will require your users to log in again.

I did a quick test to see if changing the audience to a different API required the users to log in again and it looks like it does indeed require a new login. Are you able to set up a test environment to see if you get the same behavior?

Hi Dan,

Calling auth0.webAuth.authorize does not take any previous access, refresh nor id-Token, therefore it will always ask user again to re-authenticate.

And unfortunately the refresh token endpoint /oauth/token does not take an audience and therefore my question how to get an accessToken with the new audience.

I did a bit more investigating, and I found that a refresh token is only scoped to retrieve an access token with the same audience.

This means you will have to have your users re-authenticate to retrieve a new refresh token.

Thank you Dan for your answer.

This is quite unfortunate, however hopefully this will be an ok trade-off for the RBAC.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.