Problem statement
When using the Auth0 post-login flow to set custom claims in the token, data is received from metadata and set in the token as a custom claim. Will the custom claim be available even if the access_token is acquired via refresh_token?
Solution
Yes, access tokens received via a refresh token will also have the custom claim. The reason for this is that the extensibility points (actions, rules, hooks) will run as well in a refresh token flow. Therefore, any custom claims added to the access token in the post-login action will also be added in a refresh token flow.
In cases where it is not necessary to execute action code when refreshing tokens, add the following to the flow:
if (context.protocol === 'oauth2-refresh-token'){
return callback(null, user, context);
}
For example, this code is used to bypass MFA in the example here.