K
Kinde4mo ago
Kenton

Do Roles or Permissions update immediately in user session?

I am wanting to restrict access to certain NextJS routes and pages to users with either a role or permission but on update (only tested with roles), the role remain the same. My use-case is, I want to allow admins to edit members roles and user data but after updating the user, their data server or client side does not reflect the updated role. How would you recommend handling this? Thanks
10 Replies
Kenton
KentonOP4mo ago
Thanks for the response. Does refreshTokens() trigger a refresh for all users in an organization or only the current users session? If it's only the current users session, this will have no impact on my use-case since an admin user would be updating the role/permissions of another user. Hey Sam, curious if you have a response to my above message. Thanks!
CB_Kinde
CB_Kinde4mo ago
Hi Kenton, as it's the weekend, the team runs a bit thin, but here's an answer from our AI bot, which looked at our doc. Hope it helps. Based on the information provided in the sources, the refreshTokens() function only refreshes the tokens for the current user's session, not for all users in an organization. For your use case where an admin user is updating the role/permissions of another user, you're correct that simply refreshing the admin's tokens won't affect the other user's session. However, Kinde provides a solution for this scenario. You can use the Kinde Management API to force a token update for a specific user. The Refresh User Claims endpoint of the Kinde management API can be used to invalidate the cache for a specific user. This means that the next time an access token is issued for that user, the claims will reflect the current state in Kinde. Here's how it works: When you make changes to a user's permissions or roles, these changes are updated in Kinde. You can then call the Refresh User Claims API endpoint for the specific user whose permissions were changed. This invalidates the token cache for that user. The next time that user's access token is refreshed (which happens automatically in most SDKs), it will contain the updated permissions and roles. This approach ensures that the changes made by the admin are reflected in the target user's session without requiring immediate action from that user. Let us know if this answers your question or if someone needs to clarify things further.
Kenton
KentonOP4mo ago
Hi Claire, thanks for the follow-up message. Since my message on Sep 11th, it looks like token no longer include roles, only permissions. Was this intended?
export default withAuth(
async function middleware(req: KindeNextRequest) {
const pathname = req.nextUrl.pathname;
const orgCode = req.kindeAuth?.token?.org_code;
const userRoles = req.kindeAuth?.token?.roles || []; // Default to empty array if roles is undefined

// Check if the user has the "admin" role
const isAdmin = userRoles.some(role => role.key === "admin");

export default withAuth(
async function middleware(req: KindeNextRequest) {
const pathname = req.nextUrl.pathname;
const orgCode = req.kindeAuth?.token?.org_code;
const userRoles = req.kindeAuth?.token?.roles || []; // Default to empty array if roles is undefined

// Check if the user has the "admin" role
const isAdmin = userRoles.some(role => role.key === "admin");

req.kindeAuth?.token?.roles used to be present when I originally sent this message but now roles is not present.
CB_Kinde
CB_Kinde4mo ago
Hey Kenton Just checking you have the roles arry option switched on in the access token area of your application. E.g.
No description
Kenton
KentonOP4mo ago
That fixed roles appearing, thank you Clair. I've tried await Users.refreshUserClaims(userClaimsData) but the user access token still references the old role in middleware and in the browser.
import { NextRequest, NextResponse } from "next/server";
import { Users, init } from "@kinde/management-api-js";
import { getUserAndOrg } from "@/utils/auth";
import {RefreshUserClaimsData} from "@kinde/management-api-js/dist/api/types.gen";

function delay(ms: number) {
return new Promise((resolve) => setTimeout(resolve, ms));
}

export async function GET(req: NextRequest) {
init();
const { userId, orgId, error } = await getUserAndOrg();

if (error) {
return error;
}

console.log(userId)
const userClaimsData: RefreshUserClaimsData = {
userId: userId
}
await Users.refreshUserClaims(userClaimsData)

await delay(500);

return NextResponse.json({});
}
import { NextRequest, NextResponse } from "next/server";
import { Users, init } from "@kinde/management-api-js";
import { getUserAndOrg } from "@/utils/auth";
import {RefreshUserClaimsData} from "@kinde/management-api-js/dist/api/types.gen";

function delay(ms: number) {
return new Promise((resolve) => setTimeout(resolve, ms));
}

export async function GET(req: NextRequest) {
init();
const { userId, orgId, error } = await getUserAndOrg();

if (error) {
return error;
}

console.log(userId)
const userClaimsData: RefreshUserClaimsData = {
userId: userId
}
await Users.refreshUserClaims(userClaimsData)

await delay(500);

return NextResponse.json({});
}
Hey Claire, is this something you could help with?
onderay
onderay4mo ago
Hey @Kenton sorry Claire is off sick, I have pinged our NextJS expert to get them to help you.
Kenton
KentonOP3mo ago
Thanks @Andre @ Kinde ! Hey @Andre @ Kinde , has a dev had a chance to look at my message? Thanks!
Daniel_Kinde
Daniel_Kinde3mo ago
Hi @Kenton, this has been looked at now and found there is an issue with refreshing the orgs on the id token, I have raised this to get fixed. I will keep you updated, however this has been raised by a few people so anticipate should not be a long wait. Thank you for your patience.
Oli - Kinde
Oli - Kinde3mo ago
Hey @Kenton, We have made some changes to fix your issue. Are you able to let us know if your issue still exists?
Kenton
KentonOP3mo ago
Hi Oli, thanks for the update! I'll try it tonight 👍
Want results from more Discord servers?
Add your server