Hello,
I am trying to understand why calling getAccessTokenSilently
redirects me back to the login page after I update my user’s app_metadata
via the Management API.
Here’s my setup:
- I have two applications: 1) an SPA, and 2) a M2M
- The SPA shows the Auth0 login screen and upon successful signup/login redirects back to my application
- After redirecting, the user is requested to enter an invite code (from their email) to link the Auth0 user to my backend domain model
- The SPA invokes my backend with the invite code. The backend uses the M2M client credentials to call the Management API to enhance the logged-in user’s app_metadata with a linking id
- I also have a Rule defined which upon login/silent-auth will append the app_metadata as a custom claim in the new access token
- After the backend call completes, the SPA requests a new access token via silent-auth. This is so that all subsequent backend calls will be made with a new token that contains the custom claim.
The issue I am facing is that when requesting a new token via silent-auth (after the backend call), the SPA gets a “login required” error and gets redirected back to the Auth0 login page.
Now what’s odd is that if I update the user’s app_metadata directly in Auth0 and then have the SPA request a new access token, it’s all hunky dory. But if I update the same user via the Management API, a request for a new token fails and requires a re-login.
Is there a difference in the way Auth0 handles updating a user directly from the Auth0 UI vs the Management API? Why does silent-auth work just fine in the former case, but does not work in the latter case?
I feel like I am missing something fundamental. Any help here would be much appreciated.
Thanks!