[SPA here] Refresh the token updating the claims (example for updating role)

Hello guys, auth0 is so awesome :slight_smile:

We’re playing with auth0, giving him a chance, and I have a little doubt.

ps: I’m aware refresh tokens should be forbidden (are forbidden?) on SPA

I am about to create a webhook in order to add custom roles to an user, but I was thinking:

if I change the role to an user while he’s logged, there’s no way to refresh his ‘claim’ containing the role, he has to log-off and log-in again, right? Or refreshing token would call the webhook and grabs the new role?

I’m trying to understand that expecially because having a role on claims would have a great positive performance impact, without having to query everytime I make an api call, and I need the same thing for a ‘subscription-plan policy’, so for example when my user wants to buy a subscription, I would want it to have on the claims too.


Refresh tokens are indeed not allowed when using SPAs (see [the restrictions] (Refresh Tokens))

When using an SPA, the only secure option is to use Silent Authentication. This will make a request to the /authorize endpoint with prompt=none, so no user interaction will be needed, but still the rules will be run. Hooks at the moment are only run for signups and on the client credentials exchange. So, if you’re adding the new role in a rule, it will be available as soon as the silent authentication is successful and the claims in the token you get from that request are updated.