Access Token claims not updating after "Refresh User Claims and Invalidate Cache"
Hi,
I'm currently building a custom user onboarding flow with a multistep form and calling one of my API path. Within my application settings under Tokens, I have customized the access token with additional claims including Organization Name. Within this path, below are the high level actions being performed:
1. Invoke the API path with the Access token (Bearer token)
2. Validate the token using Kinde JWK
3. Check if the JWT token contains the key org_code
4. If no, then make multiple calls to the Kinde management API to create an organization, add feature flags to the organization, add the user to the organization with an owner role/permissions and then Refresh User Claims and Invalidate Cache.
5. On successful response from my API, reload the app to get a fresh access token with the org details in it.
6. If yes, it means the user has previosuly created an organization so redirect to the dashboard of the app.
On app reload, I can see the organization information showing in the output of useKindeAuth's getUserOrganizations() but the org keys
org_code from the additional claims in the access token is missing. getPermissions() and getOrganization() also return null values.
When I log out and login, the claims get updated in the access token.
how can I get the claims updated in the access token without having to logout and login ?
I'm using the Kinde React SDK.
Thanks17 Replies
Hi, this thread might help you:
https://discord.com/channels/1070212618549219328/1320557296593403904/1320557296593403904
Or this GitHub issue - https://github.com/kinde-oss/kinde-typescript-sdk/issues/63
I suspect what you need to do is log the user in with an org-code (no need to log them out) and if you use prompt = none then they won't visually see the Kinde UI (assuming they have a valid session)
GitHub
Bug: unable to reload users information when reassigning organizati...
Prerequisites I have searched the repository’s issues and Kinde community to ensure my issue isn’t a duplicate I have checked the latest version of the library to replicate my issue I have read the...
It will be slightly different in React and it's possible that they may have already implemented a
switchOrg helper as mentioned by Daniel in the GitHub issueThanks heaps @Stephen , will look into this.
Hi @TotalScrub , got around to test this today. After succesful API action, i.e. create org, assign roles to the user and invalidating cache and user claims, I tried the logging in the user again without logging out.
This did not work
Hoping if someone from the Kinde team can provide some information here. have not heard from anyone here
Tagging @Daniel_Kinde , if you can provide some insight/help please. Thanks
Did you pass in the orgCode for the newly created Org when loggin the user in again?
Hi @TotalScrub , yes, I have. Even this document says something similar to what you have mentioned: https://docs.kinde.com/developer-tools/sdks/frontend/react-sdk/#sign-upsign-in-users-to-organizations
So I believe this is how I need to handle it and I am passing in the org_code to the login method but it is not working for me.
A call to my backend API path makes different calls to the the Kinde Management API and to my database. I collect important bits and pieces from each call to create a response back to the client, org_code being one of the keys in the response. I'll go through my backend code again to figure out if something is going on there. Will update you here. Thanks for the help
@maxom If the org code is coming back from your backend, and you are successfully calling
refreshUserClaims() then it's probably the frontend that needs to be looked at. Or it's a bug in the SDKs. I have the exact scenario you are describing working correctly as it's my onboarding flow for two different personas (same flow, but different roles / orgs), but I'm using Nuxt / Vue (frontend) and .NET (backend) so my tech stack and thus Kinde SDKs are different.
For me I:
- Have the user sign up (Nuxt) via Kinde's default registration flow
- After successful registration I get my backend (.NET) to assign or create an org, and assign roles. I then call refreshUserClaims() .NET using Kinde's Management API
- After this API call to my backend Nuxt will get the user to log in again using the approach detailed in my original response to this support issue.
- For me, it will work. I was hitting the issue you were describing, but that was before I did the login with the org code. So if I was troubleshooting this myself, I'd be making sure that the frontend is actually calling Kinde with the org_code.I'm doing exactly the same steps described by you: In backend, create organization, add user to organization, add roles and permissions to the users, refresh user claims, I have also added an extra step yesterday to revoke user access token. There are steps in between interacting with my database to sync with Kinde. In the frontend, I'm handling like below. The code in my frontend:
I'm not across the React SDK. Is
login() your method or Kinde's? Have you checked the network tab (assuming Chrome or Firefox) to see if the frontend is actually passing in the org code when it redirects to Kinde?It is from Kinde React SDK
I can see the calls to Kinde in the network tab
Sorry, probably past my knowledge to help with further. The only thing I can think of is that it's possible that the React SDK is using a cached version of the access token (with the old credentials) and is not overwriting it.
For me, when I get Nuxt to do the redirct to login I do it outside of the SDK and just trigger it directly via Nuxt. I can't remember why I did that, I think largely because the Nuxt version of hte SDK isn't nearly as complete as the React one (likely due to popularity differences which is understandable)
Based on this discussion, if the same steps are working for you, I need to double check my backend implementation to ensure the value of the org code is correct and I have not made some stupid mistake. Thanks for all the help though.
No problem, also make sure taht the refresh claims call actually worked as well and didn't return an error. It could be a simple scope issue with the management API as well.
All the Kinde Management API requests give a 200 OK response
So no issues there
Thank you very much
for the help
NP, best of luck
Ok. So after some painstaking debugging, I found that the org code that I'm returning has a trailing whitespace. FML
After the Kinde API calls, I sync the information to my DB and for the response, I fetch all the information from my DB. When writing it to my DB, I had a typo with a whitespace.
I'm now getting the proper information after login. FML
Thanks again @TotalScrub
Hi @maxom,
Thanks for the update. Glad to hear you were able to track down the issue. 🎉 If you run into any further problems or need any additional help, feel free to reach out.
Happy coding