Update access token after changing the role

  • I have an Express-based web app application where as soon as a user with a guest role pays for our service we want to assign him a premium-user role. for that, I am using this link.
  • what I want to do is that I want this user to have the latest access token based on the latest permission. so I can use a new access token (req.oidc.accessToken.access_token) for RBAC-based API.
  • and also want to change the payload of id-token and new access token. because at the time of login I am using post-login action to add roles into the payload of id-token and access-token.
  • tech stack express - express-openid-connect (traditional web-app).
    code for my post-action login and auth config.
const namespace = 'https://chats.com';
  if (event.authorization) {    
      api.idToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);
      api.accessToken.setCustomClaim(`${namespace}/roles`,event.authorization.roles);    
  }
export const config = {
	authRequired: false,
	auth0Logout: true,
	secret: 'secret',
	baseURL: 'http://localhost:8080/',
	clientID: 'client_id',
	issuerBaseURL: 'https://something.auth0.com',
};
app.use(
	auth({
		...config,
		attemptSilentLogin: false,
		routes: {
			login: false, 
		},
		clientSecret: 'client-secret',
		authorizationParams: {
			response_type: 'code',
			response_mode: 'form_post',
			audience: 'http://localhost:8080/api/message',
		},
	}),
);

2 posts were merged into an existing topic: Access-token is undefined after adding roles after post-login action