Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Refresh Token Flow Not Working After Updating Roles #32

Open
2 tasks
anshpreet3101 opened this issue Sep 26, 2024 · 4 comments
Open
2 tasks

bug: Refresh Token Flow Not Working After Updating Roles #32

anshpreet3101 opened this issue Sep 26, 2024 · 4 comments
Labels
invalid This doesn't seem right

Comments

@anshpreet3101
Copy link

Describe the bug

I am using the management API to update the roles of a user. The roles get updated successfully on the server. However, when I refresh the token to get the updated roles using getRefreshToken() method , the roles in the token remain the same as before. Only the expiry time is updated, while the roles and other data remain unchanged.

Expected behavior

The new token should reflect the updated roles from the authentication server.
Roles Updates when user redo the browser based signIn process.

How to reproduce?

  • Authenticate a user using Logto in an Expo application.
  • Change the user's roles on the authentication server using Logto Management API.
  • Refresh the token in the Expo application using getRefreshToken().

Context

  • Logto Cloud
  • Self-hosted, Logto version = 1.2.0
    • Container (Docker image)
  • Raw Node.js
@anshpreet3101 anshpreet3101 added the bug Something isn't working label Sep 26, 2024
@pratibha3011
Copy link

pratibha3011 commented Oct 14, 2024
edited
Loading

+1

@charIeszhao @gao-sun @simeng-li can you please check this?

@simeng-li
Copy link
Contributor

For any newly assigned roles or permissions, the user must re-authenticate again to pick up the latest changes.

@simeng-li simeng-li added invalid This doesn't seem right and removed bug Something isn't working labels Nov 1, 2024
@pratibha3011
Copy link

For any newly assigned roles or permissions, the user must re-authenticate again to pick up the latest changes.

Thanks for the response @simeng-li .
My application is using logto in a react-native app. When a logged in user subscribes in my app, asking them to logout and login is not good user experience. None of the apps, do this. after subscription, we need to provide benefits in the same session. benefits are driven by the roles/permissions in user token.

This is a blocker for us. We will need to find an alternative if this is the case. what do you suggest @simeng-li ?

@simeng-li
Copy link
Contributor

simeng-li commented Dec 19, 2024
edited
Loading

Hi, apologize for the late response.

In the OAuth 2.0 standard, if a user is assigned a new role or permission, the client must resend an authorization request to the authorization server to obtain a refreshed access token with the updated scopes. As an alternative, you can try the Organization Roles and Permissions instead of user permission. Organization permission updates does not require a re-authorization from the user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simeng-li @pratibha3011 @anshpreet3101