Is it possible to refresh token claims without login

OctavioCunha-8450 25 Reputation points
2023-05-05T12:55:05.1033333+00:00

Currently we are using Azure ADB2C to generate an ID token that is used to authenticate our microservices.

This token is obtained through user flow and it has some custom claims that are obtained through an api connector (that calls a custom api)

We have now a requisite to refresh these custom claims without forcing the user to login again. Can this be achieved using user flow, custom policy or in any other way?

Exemple: Imagine we have a field address that is returned by our api (in the api connector call) and the id token is enriched with this address custom claim. The user logs in into the application and this token is generated. Now if this attribute changes, is it possible to obtain a new token (with the new address custom claim) without forcing the user to logout and login again?

What we have noticed so far is that this user flow is only executed when the user executes a login in the application, and it is not executed when executing a refresh token. Can these custom claims be refreshed when refreshing the token?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    1 deleted comment

    Comments have been turned off. Learn more

  2. James Hamil 27,216 Reputation points Microsoft Employee Moderator
    2023-05-10T23:50:59.0766667+00:00

    Hi @OctavioCunha-8450 , if I'm understanding your question correctly, to update a refresh token without logging in again, you can use the refresh token that you received along with the access token. You can submit a POST request to the /token endpoint, providing the refresh_token instead of the authorization code. Refresh tokens are valid for all permissions that your client has already received consent for. You can find more details here. Let me know if this helps!


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.