sr8ip (sr8ip) asked a question.
How to get newly created application Scopes, when the user gets his access token refreshed via refresh token silently.
Hi, I have a scenario where I need my users to get newly introduced application scopes to be present in the access token, when they get their access token refreshed silently using current refresh token. However I do not want the customer to force logout & prompt for re-signin.
Example.
Suppose intitally my OKTA app has scope : abc:email:readcalender, and my customer gets an access token & a refresh token via OIDC flow, and his access token has this scope claims. Suppose my app developer goes and introduce a new scope call abc:email:readall scope after 2 days, and next time my customers token gets refresh, it needs to include this newly introuduced scope. Is this a supported?
Hi @sr8ip (sr8ip)! Unfortunately, our access tokens are not dynamic, you must re-authenticate to get the current scopes. Furthermore, the initial code response (to exchange for an access token) provided during the authentication process is based on the original scopes and if you update your scopes you'll also need a new code response - https://developer.okta.com/docs/reference/api/oidc/#token.
Hi Simona, Thank you for the response. Do you know whether there is any application configuration in OKTA that can used to invalidate all the current refresh tokens, so that whenever a refresh token exchange request is received, the user can be prompted to re-signin, instead silently exchange the current refresh token with new Access Token. That way we can gurantee that the newly issued scope is included in the customer Access token.