is there any possibility how to keep custom claims in the access tokens persistent if you use refresh tokens?
Currently, we can add custom claims to access tokens during the authorization pipeline by using rules or actions. But if the client requests offline_access and uses the refresh token to get a new access token, the custom claims are no longer part of the access token.
We have some scenarios where we need this information in all access tokens, not only in the first one that was issued.
Is there any chance to get this done?
Have you tested this? I believe any post-login actions you have configured should run on a successful refresh token exchange, and thus add the custom claims once again. I just tested in my own environment and it seems to be working.
We have tested this and we can rum custom code on a refresh token exchange, but the problem is, that we have no other identifier than the user_id and org_id to get the session information. The use-case is, that we have a refresh token that is “sticked” to a session for specific authorization purposes. For example, we will create an internal couplingID during the first token exchange and we want to store the couplingID in the access token and want to persist it even during refresh token exchanges.
We also did not see any sessionID from Auth0 that we could use for our internal records as a reference