I am currently developing a project the used @okta/oidc-middleware aka Express OIDC for node.js for authentication. In this project, I retrieve a custom attribute for the user via the id token.
The main issue is that the user has an option to update the attribute value but I am unsure how to retrieve the new value.
One option is to force a local/app logout and log them back in however I don’t want the user’s ‘session’ to be interrupted if possible.
I know it is possible to overwrite the value that is store for the session which is another possible value however keeping control via okta side would also be preferable (in case they selected an option that is rejected by a webhook as example).
The best option I can think of is to retrieve the new value via API and store it in the new session.
My main question is what would be the best way to go about it? As far as I know, there is no option to ‘refresh’ the session as I can see on the github page.
@abroadhurst If you customize an attribute as a claim in the id token, you can still change the claim value via profile mappings. Could you please clarify what new value you need to update? Did you try mapping profile?
So variable is called ‘course’ so the user is a student and signs up to the website but then can request to sign up for a course. The user’s profile is then updated with the string value of the course via API.
‘course’ is included with the id token but the id token only contains the value of course after the initial login (which is ‘null’ because the user is yet to sign up to the course). It doesn’t get updated until after they logout and login back in.
I just wondering if I am missing something or what is best practice for this situation.
@abroadhurst If the user does not sign up to the course yet, it makes sense the ‘course’ value is null.
To update your token with the a new value, you may need to revoke the old token and get a new one.
Please check the below doc and see if it helps.
Thank you for your response. Could you explain on how I do it with OIDC middleware? I can’t seem to find any documentation on forcing it to retrieve a refresh token.