Will Access Tokens Received Via Refresh Token Contain the Custom Claims

Last Updated: Dec 11, 2024

Overview

When using the Auth0 post-login flow to set custom claims in the token, data is received from metadata and set in the token as a custom claim. Will the custom claim be available even if the access_token is acquired via refresh_token?

Applies To

  • Custom Claims
  • Refresh Token

Solution

Yes, access tokens received via a refresh token will also have the custom claim. The reason for this is that the extensibility points (actions, rules, hooks) will run as well in a refresh token flow. Therefore, any custom claims added to the access token in the post-login action will also be added in a refresh token flow.

In cases where it is not necessary to execute action code when refreshing tokens, add the following to the flow:

if (context.protocol === 'oauth2-refresh-token'){
    return callback(null, user, context);
  }

For example, this code is used to bypass MFA in the example here.