Update Access Token custom claims with Refresh Token

hector · April 25, 2022, 3:10pm

Hello! We are using the React Native SDK to handle login, logout and fetching new access tokens using the refresh token.

During login we pass a query parameter to the authentication page, which is read by the Login Action flow to add this parameter as a custom claim to the access token.

The problem comes when using the refresh token to get a new access token. We have no way to pass this custom query parameter value with the refresh token to generate the new acces token with the custom claim. This means the new access tokens returned are causing invalid API calls (this claim is required).

How can we pass cusomt values to the refresh process to the new access token can be generated like it is during login? Thanks for the help.

rueben.tiow · April 25, 2022, 5:25pm

Hi @hector,

Welcome to the Auth0 Community!

Firstly, I believe that the current approach of passing a query parameter to the authentication page is not ideal for passing custom claims to grant access to your APIs. Moreover, as you observed, calling the getAccessTokenSilently() method will not be able to pass a query parameter.

Instead, I recommend that you configure RBAC (Role-Based Access Control) to grant your users specific scopes (Permissions) for your API. This way, you can specify the scopes in your getAccessTokenSilently() method to allow your users can make valid API calls only if they have the correct scopes granted to them.

See our Configure Core Authorization Features for Role-Based Access Control doc to learn more.

Please let me know if you have any questions.
Thank you.

hector · April 25, 2022, 7:28pm

Thanks for the response! So my follow-up question is, how would we pass data from the client during login and token refresh using the React Native SDK or the Auth0 API? This data is unique per user and generated upon client startup.

rueben.tiow · April 25, 2022, 9:24pm

Hi @hector,

Thank you for your response.

You should be able to pass the data through the scope parameter in the request for both Login and Silent Authentication.

For example:

const accessToken = await getAccessTokenSilently({
    audience: "YOUR_API_IDENTIFIER",
    scope: "YOUR_SCOPE",
});

Please let me know how this goes for you.

Thanks.

hector · April 26, 2022, 12:26am

Thanks, can I pass a key value pair object in my scope? I may want to pass 1 or more related parameters to the authentication endpoint to add to the access token claims.

rueben.tiow · May 2, 2022, 4:31pm

Hi @hector,

Thank you for your response.

Yes, in the format key:value to reference the scopes (permissions).

If you need to pass one or more scopes, you can separate each scope with a space in the string of the request:

const accessToken = await getAccessTokenSilently({
    audience: "YOUR_API_IDENTIFIER",
    scope: "openid email profile read:users edit:users",
});

Thank you.

Topic		Replies	Views
How to add pass query parameter while calling auth0 using refresh token ( react-native-auth0 ) Help	1	2181	March 9, 2022
Missing Custom Claim in token Help user-profile , user-management	4	806	December 5, 2023
Unable to Refresh JWT with Updated Custom Claims in React App Using Auth0 Refresh Tokens Help apis , application	4	25	August 30, 2024
Add/Update Access Token Custom Claim WITHOUT flow/rule? Help sessions , authentication-sessions	6	2740	December 19, 2022
Update Claims via RefreshToken Help cordova , auth0 , custom-claims , ionic2	2	6840	August 27, 2019

Update Access Token custom claims with Refresh Token

Related topics