Retrieve newly added user scope without user re-authorize

Hello Auth0 Forums
I have an instance where a user is given a new role after they are authorized in the SPA.
My goal is to update the JWT token cached inside the application without having the user logout and log back in.
I am using refresh tokens with the auth0-spa.js library.
I have “Skip Consent” and “Offline Access” enabled in my APIs.
I also have the rotating tokens enabled in my SPA dashboard.
When I run

auth0Client.getTokenSilently({ ignoreCache: true });

I do receive a new and updated token, but only the permissions have been updated, not the scopes.
Also, if the user logs out and logs back in, the correct scopes are present in the token.

I have also tried

auth0Client.getTokenSilently({ ignoreCache: true, audience: "myAudience" });

But this throws a login_required error.

Is there a way to get the scopes associated with the newly attached role without re-authenticating?

Client Initialization

createAuth0Client({
          audience: env.authAudience,
          domain: env.authDomain,
          client_id: env.authClientId,
          redirect_uri: env.authRedirectUri,
          scope: env.authScopes,
          useRefreshTokens: true,
          cacheLocation: "localstorage",
        })

Login Method

      auth0Client.loginWithRedirect({
        appState: {
          appRoute: redirectUrl,
        },
        scope: env.authScopes,
        audience: env.authAudience,
        pageType: pageType,
        ...extraConfig,
      });

Thank you!

The refresh token you obtained will be associated to the scopes requested (and granted) when the refresh token was issued so getting new access tokens with that token will always be limited by the originally granted scopes. As in, you can refresh tokens and ask for an access token with less scopes than the ones originally granted, but you cannot refresh tokens and ask for an access token with more scopes.

If I recall correctly that behavior is mandated by the OAuth 2.0 specification so I don’t believe there would be a way around that.

Having said that, technically, performing a new login request may not necessarily for the user to actively login again. In particular, there may be an authenticated session that allows that second login request to complete without user having to do another login.

In addition, given this is may be considered a bit of an edge case your application can handle this by doing something like:

  1. call backend API normally until it gets a response that implies the user is valid, but simply does not have the necessary scopes.
  2. at that time either repeat the login automatically to try to see if the user was granted those scopes after the token was issued or tell the end-user that and let them choose if they want to repeat the login.

Technically speaking you could also try to use silent authentication (a second createAuth0Client configured to not use refresh tokens) as means to possibly get access tokens with more scopes without having to do a full top-level redirect.