bug: Refresh Token Flow Not Working After Updating Roles

anshpreet3101 commented 1 month ago

Describe the bug

I am using the management API to update the roles of a user. The roles get updated successfully on the server. However, when I refresh the token to get the updated roles using getRefreshToken() method , the roles in the token remain the same as before. Only the expiry time is updated, while the roles and other data remain unchanged.

Expected behavior

The new token should reflect the updated roles from the authentication server. Roles Updates when user redo the browser based signIn process.

How to reproduce?

Authenticate a user using Logto in an Expo application.
Change the user's roles on the authentication server using Logto Management API.
Refresh the token in the Expo application using getRefreshToken().

Context

[ ] Logto Cloud
Self-hosted, Logto version = 1.2.0
- Container (Docker image)
  - [ ] Raw Node.js

pratibha3011 commented 1 month ago

+1

@charIeszhao @gao-sun @simeng-li can you please check this?

simeng-li commented 3 weeks ago

For any newly assigned roles or permissions, the user must re-authenticate again to pick up the latest changes.

pratibha3011 commented 2 weeks ago

For any newly assigned roles or permissions, the user must re-authenticate again to pick up the latest changes.

Thanks for the response @simeng-li . My application is using logto in a react-native app. When a logged in user subscribes in my app, asking them to logout and login is not good user experience. None of the apps, do this. after subscription, we need to provide benefits in the same session. benefits are driven by the roles/permissions in user token.

This is a blocker for us. We will need to find an alternative if this is the case. what do you suggest @simeng-li ?

logto-io / react-native