Correct way to get a new access token after changing a user's claims in IdentityServer4

Question

I'm using IdentityServer4 with Angular 8 and Web API.

When a user registers I log them in automatically using the oidc-client userManager.signinSilent method.

I use the same method to update the access token after a user's claims have been updated. For example, the user may pay for a service so I need to update the user's claims and have this reflected in the access token for the UI.

Is this the correct way to update the access token?

Answer 1

Use this property on ur client settings in IDP.

'UpdateAccessTokenClaimsOnRefresh'

Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.

https://identityserver4.readthedocs.io/en/release/reference/client.html?highlight=UpdateAccessTokenClaimsOnRefresh

Answer 2

According to the spec, there is no way to update a JWT once it has been issued. So the only option is to replace the token by setting the ttl (AccessTokenLifetime property for the client in Identityserver) reasonably short, automaticSilentRenew = true and optionally playing with the accessTokenExpiringNotificationTime parameter (the last two on oidc-client side).

An alternative is to use a reference token instead of the default JWT with IdentityServer4.AccessTokenValidation on API side.

Finally, the most straightforward approach is to decouple authentication and permissions, so that the token contains the identity of the user plus a set of predefined scopes in the API for calling application only. And real time permissions for the user come from a separate service, such as this one.