Reputation: 5332
identity server - get updated claims with refresh token
I put some claims in the access token that comes from DB while login (e.g. entity_id and role). Now at some stage the entity_id claim gets changed and I need to get a new access token with the updated claims. I am doing this using the refresh token to get a new access token but it comes with the same old claims inside; may be because the class implementing IResourceOwnerPasswordValidator is not being called in case of refresh token. So how can I get the updated claims in access token? Because user has to logout and re-login otherwise to get the entity_id and role claims updated.
I know the other option is to make use of the /userinfo endpoint for claims but my question here is in this case how the [Authorize(Roles = "Manager")] attribute of ASP.NET Core will work and get to know about roles if they don't exist in the access token?
Upvotes: 8
Views: 4455
Answers (1)
Reputation: 18482
Or put differently - data that changes often is not a good candidate for claims in tokens.
That said - you can make identityserver run through the profile service pipeline again when getting a refreshed token - see here:
Upvotes: 9
Related Questions
- Update logged Identity claims when add new claims
- Refresh token for IdentityServer4
- Using .NET Core Identity and need to refresh token
- Refresh Token and Access Token from Identity Server4
- How to refresh the identity server token?
- .NET Core 2 / Identity Server 4 - refresh all of the claims
- How to refresh claims from Identity Server 4 AFTER profile update?
- How to request a refresh token with identityserver4
- IdentityServer4 refresh_token revocation
- Refreshing claims without refreshing token