Auth0 Home Blog Docs

Update Claims via RefreshToken



Hello there,

I’m actually developing a small Ionic-app, which uses Auth0 for it’s authorization.
ATM I have included the suggested library (auth0-cordova), which is available here:

I’ve managed to the get it working via the official documentation and the corresponding samples:

  1. Authorization via Auth0Cordova(CONFIG).authorize(options)
  2. Getting profile via accessToken --> this.Auth0.client.userInfo(this.accessToken, (err, profile) => {
  3. Eventually refresh the Token if it expires --> POST@“oauth/token”-endpoint


But now I’m facing another problem:
I would like to get a specific role/permission for the authenticated user, which AFAIK can be done via custom claims…

This also works if I include a custom property (i.e. some_id) which is defined in my rules.
BUT this only works at the first step above (authorize) and not if I would like to update my role/rule through the “oauth/token”-endpoint.

Is there any way to re-run the rules while refreshing the token via the corresponding endpoint (oauth/token) or is it mandatory to re-authenticate the user via the authorize method?
The problem here is even with the silent-authentication (prompt=none) a short screen-flickering occurs while the webview gets opened… looks a bit confusing for the end-user IMHO.

I also found those two “hints”, which are in my ignorance contradictory ??
“Please note that adding custom claims to ID Tokens through this method will also let you obtain them when calling the /userinfo endpoint. However, rules run when the user is authenticating, not when /userinfo is called.”

“You should only ask for a new token if the Access Token has expired or you want to refresh the claims contained in the ID Token.”

And last but not least another question:

PKCE-Auth is used for native/hybrid apps and SHOULD BE USED by them (like cordova/ionic in my case)?
This means I should use the auth0-cordova-lib?

Thanks in advance!