ID Tokens are issued when application requests them. This usually happens when the user first lands in the application, and the application wants to know who the user is to create a session. Depending on the type of application, you can either:
- use a refresh token flow to request a new token without involving any user input. This works for native apps and regular web applications that can keep the refresh token securely.
- request a token like you did the first time (a regular
/authorize call). This is interactive (it assumes the user is using the application). Depending on whether the user still has a session or not, it might not require the user to enter credentials again.
- request a token using
checkSession in Auth0.js. This attempts a silent token request (no user intervention) and relies on the user still having a session at Auth0. Since it doesn’t use refresh tokens, it is suited to use on SPA.
Where are you calling the management API from to update the user? Is it the same application for which you want to receive an updated token? What type of application is it?
If the management API request was done from the same app that needs refreshed information, the easiest (fastest) path is to just update the session with the new information. If you absolutely need rules to be run, then you’ll need to request a new token. If the management API request was executed because of a user interaction (e.g. “I want to update my last name”) you can simply redirect to the login endpoint of your application so that it triggers the regular login flow. This, as said before, might not require the user to enter credentials again if there’s still a session at Auth0.