K
Kinde10mo ago
e0

Updating a user's name

I would like to have the possibility for a user to change their own name (given_name and family_name). I have figured out that it's possible to update it using the Kinde Management API, and I can verify that the names do get changed. The problem is that after changing the name, the user will not be able to see this change until they logout and login again. Is it possible for a user to change their name and see it reflected immediately without having to logout and login again?
15 Replies
Colin
Colin10mo ago
Hey @e0 , I am not an expert at Kinde but did you try refreshing the claims? Which SDK are you using?
e0
e0OP10mo ago
Hi @Colin, thanks for looking at this. I did try to refresh the claims using the /api/v1/users/user_id/refresh_claims endpoint. I checked the response and it actually says it has been successfully refreshed, but I think the problem is that the user session token is still not updated. I'm using the SvelteKit SDK. KindeAI just tells me that with this SDK I wouldn't have to manually manage the tokens, but I think I would need force an update on the id token for this to be updated. Just not sure how to do that.
Colin
Colin10mo ago
Yeah I think you are right, you might need to refresh the id token, I don't really know the sveltekit SDK so can't go further than that unfortunatly but I am sure the Kinde team here will be happy to help you once they get to you issue.
Daniel_Kinde
Daniel_Kinde10mo ago
Hi, One method to get this would be to logout the user and log them in using the refresh token. This is done using the https://<your_subdomain>.kinde.com/oauth2/token endpoint with grantType=refresh_token. This will give you a new access_token.
e0
e0OP10mo ago
@Daniel_Kinde Thanks for your response. In order to use that endpoint we would need the current refresh_token right? According to KindeAI it seems like it's not possible to get the refresh_token. https://discord.com/channels/1070212618549219328/1205662406446162020/1205682723411206205 Here is what we are doing so far if you are interested. I think we are probably just going to settle for having a label saying the user needs to log out and log back in for the name to be updated. 
const tokenResponse = await fetch(`${KINDE_ISSUER_URL}/oauth2/token`, {
  method: 'POST',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
  },
  body: new URLSearchParams({
    audience: `${KINDE_ISSUER_URL}/api`,
    grant_type: 'client_credentials',
    client_id: KINDE_CLIENT_ID,
    client_secret: KINDE_CLIENT_SECRET,
  }),
});

const { access_token } = await tokenResponse.json();

await fetch(`${KINDE_ISSUER_URL}/api/v1/user?id=${user.id}`, {
  method: 'PATCH',
  headers: {
    Accept: 'application/json',
    Authorization: `Bearer ${access_token}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ given_name, family_name }),
});

await fetch(
  `${KINDE_ISSUER_URL}/api/v1/users/${user.id}/refresh_claims`,
  {
    method: 'POST',
    headers: {
      Accept: 'application/json',
      Authorization: `Bearer ${access_token}`,
    },
  }
);
const tokenResponse = await fetch(`${KINDE_ISSUER_URL}/oauth2/token`, {
  method: 'POST',
  headers: {
    'content-type': 'application/x-www-form-urlencoded',
  },
  body: new URLSearchParams({
    audience: `${KINDE_ISSUER_URL}/api`,
    grant_type: 'client_credentials',
    client_id: KINDE_CLIENT_ID,
    client_secret: KINDE_CLIENT_SECRET,
  }),
});

const { access_token } = await tokenResponse.json();

await fetch(`${KINDE_ISSUER_URL}/api/v1/user?id=${user.id}`, {
  method: 'PATCH',
  headers: {
    Accept: 'application/json',
    Authorization: `Bearer ${access_token}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ given_name, family_name }),
});

await fetch(
  `${KINDE_ISSUER_URL}/api/v1/users/${user.id}/refresh_claims`,
  {
    method: 'POST',
    headers: {
      Accept: 'application/json',
      Authorization: `Bearer ${access_token}`,
    },
  }
);
Colin
Colin10mo ago
So it seems I have the same issue for roles and permissions, is there any way to refresh the tokens ?
e0
e0OP10mo ago
That actually sounds way more concerning. Like if you are revoking certain permissions for a user and they are still signed in at the time. It sounds like they will still have access to their old permissions?
onderay
onderay10mo ago
As mentioned earlier in this chat, using this endpoint to update the claims https://kinde.com/api/docs/#refresh-user-claims-and-invalidate-cache and then hitting https://<your_subdomain>.kinde.com/oauth2/token endpoint with grantType=refresh_token will get you a new access token with the updated roles and permissions. But this would assume that when a user does X action in your application, you would be checking their permissions against your APIs.
e0
e0OP10mo ago
viv (kinde)
viv (kinde)10mo ago
Hi @e0 - you can get the refresh token [https://kinde.com/docs/developer-tools/refresh-tokens/] if you send scope=offline in your request. You can then refresh this using Andre's notes above and this will update your user's permissions/roles/name etc. without them having to log out.
e0
e0OP10mo ago
Thank you for the help @viv (kinde) . I give this a try for a few minutes but couldn't get it to work. Also a bit confused at this point about client_id vs the actual user's id for this endpoint. It's not an essential feature for us at this moment so I will give up on it for now. Appreciate all the team from the support though.
Colin
Colin10mo ago
Did you find a solution yet? I've experience a similar issue recently and solved it by querying the management api instead of relying on the client sdk, here is the thread about that: #Permissions and roles not updating after a change using the Nuxt module This is with nuxt but should be reproducible with any framework
e0
e0OP10mo ago
Hi! We haven't looked more at this since it's a very low-prio issue, but thank you for sharing! I took a look at your solution and that was a clever workaround. Do you notice any significant delays in response time using this method? I'm also concerned about this eating up the M2M tokens very quickly. My understanding is that whenever the Management API needs to be used, an M2M token is required. https://kinde.com/docs/build/add-a-m2m-application-for-api-access/#how-m2m-tokens-are-calculated-in-kinde
Colin
Colin10mo ago
This does not seem to use any M2M token as I just use a token from the same app as the one used by nuxt. I might be wrong but for now the dashboard does not mention any M2M token used. I also cache this token as long as I can to mitigate this kind of issue, you can change the token expiration time in the dashboard depending of your usage. For the response delay, there is definitely a delay when compared to a local dev db but I think that once the app is deployed this will not be an issue. Also you have 2000 M2M tokens a month, if you cache your token for a day you will only use 30 tokens a month average
e0
e0OP10mo ago
Thanks for the answers @Colin Makes sense to cache the M2M tokens. Hopefully the team can improve these aspects into the SDKs like you mentioned. Great that you could find a workaround for now though and shared with us ❤️
Want results from more Discord servers?
Add your server