Update Claims via RefreshToken

Hello there,

I’m actually developing a small Ionic-app, which uses Auth0 for it’s authorization.
ATM I have included the suggested library (auth0-cordova), which is available here:

GitHub - auth0/auth0-cordova: Auth0 integration for Cordova apps

I’ve managed to the get it working via the official documentation and the corresponding samples:

  1. Authorization via Auth0Cordova(CONFIG).authorize(options)
  2. Getting profile via accessToken → this.Auth0.client.userInfo(this.accessToken, (err, profile) => {
  3. Eventually refresh the Token if it expires → POST@“oauth/token”-endpoint

[1][2] https://github.com/auth0-samples/auth0-ionic3-samples/blob/master/01-Login/src/services/auth.service.ts
[3] Refresh Tokens

But now I’m facing another problem:
I would like to get a specific role/permission for the authenticated user, which AFAIK can be done via custom claims…

This also works if I include a custom property (i.e. some_id) which is defined in my rules.
BUT this only works at the first step above (authorize) and not if I would like to update my role/rule through the “oauth/token”-endpoint.

Is there any way to re-run the rules while refreshing the token via the corresponding endpoint (oauth/token) or is it mandatory to re-authenticate the user via the authorize method?
The problem here is even with the silent-authentication (prompt=none) a short screen-flickering occurs while the webview gets opened… looks a bit confusing for the end-user IMHO.

I also found those two “hints”, which are in my ignorance contradictory ??
“Please note that adding custom claims to ID Tokens through this method will also let you obtain them when calling the /userinfo endpoint. However, rules run when the user is authenticating, not when /userinfo is called.”

…/docs/api-auth/tutorials/adoption/scope-custom-claims
“You should only ask for a new token if the Access Token has expired or you want to refresh the claims contained in the ID Token.”
…/docs/tokens/refresh-token/current#get-a-refresh-token

And last but not least another question:

PKCE-Auth is used for native/hybrid apps and SHOULD BE USED by them (like cordova/ionic in my case)?
This means I should use the auth0-cordova-lib?

Thanks in advance!

Hello there,
Please find below my responses to your questions.

I would like to get a specific role/permission for the authenticated user, which AFAIK can be done via custom claims…
This also works if I include a custom property (i.e. some_id) which is defined in my rules.
BUT this only works at the first step above (authorize) and not if I would like to update my role/rule through the “oauth/token”-endpoint.

Is there any way to re-run the rules while refreshing the token via the corresponding endpoint (oauth/token) or is it mandatory to re-authenticate the user via the authorize method?

When you do a refresh token grant on an OIDC conformant application, the rules will be executed, and if you have included openid as one of the scopes in the initial request for the token, you would receive an ID Token as well as Access Token in the response. Note that Rules will not be executed if your application is not tagged as OIDC conformant.

You can make your application OIDC-Conformant by going to Application advanced settings → OAuth → Toggling ON the OIDC Conformant switch.

Note, that the refresh token grant endpoint, also accepts scope so you can request different claims included in the access token that way.

You can read more about the differences when refreshing token of an OIDC app vs Non-OIDC one here: Refresh Tokens

I also found those two “hints”, which are in my ignorance contradictory ??
“Please note that adding custom claims to ID Tokens through this method will also let you obtain them when calling the /userinfo endpoint. However, rules run when the user is authenticating, not when /userinfo is called.”
OpenID Connect Scopes
“You should only ask for a new token if the Access Token has expired or you want to refresh the claims contained in the ID Token.”
Refresh Tokens

I don’t understand this point about the above two paragraphs contracting each other. Could you please explain a bit more?
It is expected that /userinfo will not execute Rules because in order to call /userinfo, an Access token is required which should have been obtained by authenticating the user initially or refreshing the access token.

You can use refresh the Access token and the included claims inside it using refresh token grant (with the scope parameter). Once you have the new Access token, you can use it to call /userinfo and receive user profile as expected.

PKCE-Auth is used for native/hybrid apps and SHOULD BE USED by them (like cordova/ionic in my case)?
This means I should use the auth0-cordova-lib?

This is correct. Using Authorization Code PKCE grant with native/hybrid apps is the recommended method.