FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Roles don't update on refresh

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    2
    372
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lou
      last edited by

      When a user logs on we get a refresh token and access token. The JWT has the roles in the object like this:

      {
    ...
    roles: [
        "role_foo",
        "role_bar"
    ]
}

      These roles are inherited from the group and assigned during that initial login when it creates an active session.

      Say a user logs in and creates this session and we update their group roles to be:

      {
    ...
    roles: [
        "role_foo",
        "role_bar",
        "role_baz"
    ]
}

      We should expect this to be the roles when a user creates a fresh session by logging in or when the user follows the refresh flow to get a new access_token. However, when a user uses a valid refresh_token the returned access_token from this refresh flow still matches the original session's grants:

      {
    ...
    roles: [
        "role_foo",
        "role_bar"
    ]
}

      Am I misconfiguring something so that it gets the most up to date roles on refresh?

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @lou
        last edited by

        Hi @lou,

        I was unable to replicate this issue. I'm using 1.47.1.

        I used the login API for simplicity. I set up an application to Generate Refresh Tokens and Enable JWT refresh on the Security tag.

        I set up that application up with three roles, and a group with one of those roles. I then assigned a user to that group.

        I called the Login API and got back a refresh token as well as an access token. I examined the access token and saw the expected one role.

        I then added another role to group. Then I called the /api/jwt/refresh endpoint and looked at the resulting access token. That access token had 2 roles now.

        Here are the two requests:

        curl -H 'Authorization: bf69486b-4733-4470-a592-f1bfce7af580' http://localhost:9011/api/login -d '{"applicationId":"85a03867-dccf-4882-adde-1a79aeec50df","loginId":"admin@example.com","password":"password"}' -H 'Content-type: application/json'

        curl -H 'Authorization: bf69486b-4733-4470-a592-f1bfce7af580' http://localhost:9011/api/jwt/refresh -d '{"refreshToken": "fYFIudBHGFJMsBrmufiTJjvczKYkq6BvNTn3B6oIKRvXn4mJd4NQdA"}' -H 'Content-type: application/json'

        A few more questions to see if we can track down this behavior:

        • What version of FusionAuth are you running?
        • Can you provide more detailed recreate steps?
        • Did you use the authorization code grant?
        • Did you do something else between the initial login and the token refresh?
        • How did you update the group role setting?
        • How many nodes of FusionAuth are you running?

        Thanks,
        Dan

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • First post
          Last post