Will Access Tokens Received Via Refresh Token Contain the Custom Claims

rueben.tiow · April 2, 2024, 5:08pm

Problem statement

When using the Auth0 post-login flow to set custom claims in the token, data is received from metadata and set in the token as a custom claim. Will the custom claim be available even if the access_token is acquired via refresh_token?

Solution

Yes, access tokens received via a refresh token will also have the custom claim. The reason for this is that the extensibility points (actions, rules, hooks) will run as well in a refresh token flow. Therefore, any custom claims added to the access token in the post-login action will also be added in a refresh token flow.

In cases where it is not necessary to execute action code when refreshing tokens, add the following to the flow:

if (context.protocol === 'oauth2-refresh-token'){
    return callback(null, user, context);
  }

For example, this code is used to bypass MFA in the example here.

Topic		Replies	Views
Persistent custom claims in Access Token when using Refresh Tokens Help extensibility , actions-extensibility	3	1290	December 22, 2023
Add/Update Access Token Custom Claim WITHOUT flow/rule? Help sessions , authentication-sessions	6	2738	December 19, 2022
Customs claims are lost after refresh token Help sessions , authentication-sessions	2	1187	March 28, 2023
Refreshed token doesn't include the custom claim added during login Help login-experience , new-universal-login-experience	2	58	July 17, 2024
How do I encode custom claims in the access token JWT returned from the oauth 2.0 flow? Help user-management , user-password-management	6	1752	January 25, 2023

Will Access Tokens Received Via Refresh Token Contain the Custom Claims

Problem statement

Solution

Related Topics