Refresh Roles in IdentityServer-Clients

Question

I'm having an identityServer with some clients and it works great. My problem is, when one of the admins changes the roles of a user, the clients need to sign up and sign in to get the new claims and roles.

My question is, is there is a away to let the roles get updated automatically after changing the roles, without getting signed out and in?

for any help i would be very thankful :)

Answer 1

You can set this flag to true in the client definition to reload the claims inside the access token when you refresh them

UpdateAccessTokenClaimsOnRefresh Gets or sets a value indicating whether the access token (and its claims) should be updated on a refresh token request.

see https://docs.duendesoftware.com/identityserver/v5/reference/models/client/

For refresh tokens, I add some pictures from my training class that might give a better idea about refresh tokens (you ask for them using the offline_Access scope)

When you ask for that scope and give consent, then you will get an additional "refresh token"

And using the refresh token you can then ask for new access tokens.

The picture (Taken from my training class) shows how the sliding refresh token works:

You do ask for a new token (using the refresh token) when the access token is about to expire. The lifetime of the access token is shorter than the refresh token.

You either do that manually or you use some library like IdentityModel.AspNetCore to do it for you.