Unable to Refresh JWT with Updated Custom Claims in React App Using Auth0 Refresh Tokens

Hi Auth0 Community,

I’m currently facing an issue with refreshing JWT tokens in my React JS application that uses Auth0 with refresh tokens enabled (useRefreshTokens: true). Here is my setup and the problem I’m encountering:

Setup:

  • I’m using Auth0 in a React JS app, and I’ve enabled the use of refresh tokens.
  • I’ve added custom JWT claims via an Action in the Flow, specifically using the onExecutePostLogin action.
  • After modifying these custom claims in the onExecutePostLogin action, I want to refresh the JWT token so that the updated claims are reflected in the token.

Problem:

Even though I call getAccessTokenSilently({ ignoreCache: true, cacheMode: "off" }), the returned access token still contains the old claims. I can confirm that the onExecutePostLogin action is triggered and the claims are indeed being updated on the backend. However, the access token my application receives still has the outdated claims.

What I’ve Tried:

  • Using ignoreCache: true and cacheMode: "off" in the getAccessTokenSilently method to bypass any caching.
  • Verifying that the onExecutePostLogin Action is working as expected and that the claims are updated correctly during the login process.

Question:

How can I force the Auth0 React SDK to return an access token with the updated custom claims immediately, without requiring the user to log out and log back in or waiting until the token naturally expires?

Any guidance or advice on how to achieve this would be greatly appreciated!

Thank you!

Hey there @david54 welcome to the community!

First off, you’re on the right track in terms of refreshing tokens to get new claims. What do you mean by claims are indeed being updated on the backend? Does the expiration on the refreshed access token get updated as expected? Can you share your action code as well?

Hi Tyf,

Thanks for your comment and warm welcome.

I was able to find the solution in the meantime. The issue was in the onExecutePostLogin action. When not using the refresh token, all the authorizationParams from the getAccessTokenSilently function are passed to the onExecutePostLogin in the event.request.query property. However, when using the refresh token, the parameters are passed in event.request.body. Once I updated the onExecutePostLogin action, everything started working as expected.

1 Like

Hey @david54 that’s great! Thanks for confirming.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.