Menu
I put some claims in the access token that comes from DB while login (e.g. entity_id and role). Now at some stage the entity_id claim gets changed and I need to get a new access token with the updated claims. I am doing this using the refresh token to get a new access token but it comes with the same old claims inside; may be because the class implementing IResourceOwnerPasswordValidator is not being called in case of refresh token. So how can I get the updated claims in access token? Because user has to logout and re-login otherwise to get the entity_id and role claims updated.
I know the other option is to make use of the /userinfo endpoint for claims but my question here is in this case how the [Authorize(Roles = "Manager")] attribute of ASP.NET Core will work and get to know about roles if they don't exist in the access token?
948
Or put differently - data that changes often is not a good candidate for claims in tokens.
That said - you can make identityserver run through the profile service pipeline again when getting a refreshed token - see here:
https://identityserver4.readthedocs.io/en/release/reference/client.html?highlight=UpdateAccessTokenClaimsOnRefresh
66
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
