aarongranick-okta
commented
3 years ago @abroadhurstDistology The information in the ID token will not be updated until it is renewed. ensureAuthenticated is only checking for existence and validity of the token, but is not comparing all fields with current server values. To retrieve current user info directly from the server you can make a call to the userinfo endpoint: https://developer.okta.com/docs/reference/api/oidc/#userinfo
You might be able to integrate this information into your app by using the "extend user info" feature: https://github.com/okta/okta-oidc-js/tree/master/packages/oidc-middleware#extending-the-user
It could make a request to /userinfo endpoint at beginning of the session or whenever you want
I'm submitting this issue for the package(s):
I'm submitting a:
Current behaviour
After the user has been updated in the Okta org but has a current App session available, the information stored in the ID token that is retrievable via request.userContext.userinfo for that particular session, keeps the old value that was achieved when the user first logged into the app.
Expected behaviour
It is expected behaviour
Minimal reproduction of the problem with instructions
Create an app that creates a local session for a user by authenticating using authorization code and use an authorization server that returns a custom attribute as a claim in the ID token with the 'profile' scope. Ensure you use 'openid' and 'profile' for the scope for authentication. Sign in as a user with 'null' value for your custom attributes (depending on your claim they may not show up (null) or show up as ""). Update the user from the Okta admin interface without signing out of the app. Refresh the webapp page (and force the webapp to log the usercontext.userinfo. The variable attribute will have not changed despite being updated in Okta, even when oidc.ensureAuthenticated() is used.
Extra information about the use case/user story you are trying to implement
Environment
node -v): v10.13.0