-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: Refresh Token Flow Not Working After Updating Roles #32
Comments
+1 @charIeszhao @gao-sun @simeng-li can you please check this? |
For any newly assigned roles or permissions, the user must re-authenticate again to pick up the latest changes. |
Thanks for the response @simeng-li . This is a blocker for us. We will need to find an alternative if this is the case. what do you suggest @simeng-li ? |
Hi, apologize for the late response. In the OAuth 2.0 standard, if a user is assigned a new role or permission, the client must resend an authorization request to the authorization server to obtain a refreshed access token with the updated scopes. As an alternative, you can try the Organization Roles and Permissions instead of user permission. Organization permission updates does not require a re-authorization from the user. |
Hi, I think there is a misunderstanding in the context. I'm sorry if we may sound implying a re-login, that indeed a bad user experience. However, performing a "re-authentication" action does not always mean "logout and re-login". To be precise, it actually is a "/auth" request, with all the necessary information (e.g. grant_type, scopes, resources, etc.). If you are still looking for a solution with pure user RBAC, you can do this whenever the user is assigned with a new role (with new scopes). signIn({ redirectUri: 'your-redirect-uri', prompt: 'consent' }); Check the documentation for more details. We call this a "re-consent" action, which returns new user scopes in the new access token. And from the end user point of view, doing this feels nothing but a page refresh. In conclusion, we have 2 solutions for your use case.
|
Describe the bug
I am using the management API to update the roles of a user. The roles get updated successfully on the server. However, when I refresh the token to get the updated roles using getRefreshToken() method , the roles in the token remain the same as before. Only the expiry time is updated, while the roles and other data remain unchanged.
Expected behavior
The new token should reflect the updated roles from the authentication server.
Roles Updates when user redo the browser based signIn process.
How to reproduce?
Context
The text was updated successfully, but these errors were encountered: