How to refresh claims from Identity Server 4 AFTER profile update?

Question

I'm using aspnet core 1.1 and Identity Server 4. I've created a policy in my client Startup.cs that denied all non-verified email accounts to use some sections of the website.

Here's the code of my policy:

//Add policies
services.AddAuthorization(authorizationOptions =>
{
    authorizationOptions.AddPolicy(
        ApplicationGlobals.Policy_HasValidatedAccount,
        policyBuilder =>
        {
            policyBuilder.RequireAuthenticatedUser();
            policyBuilder.RequireClaim(JwtClaimTypes.EmailVerified, "true", 
            ClaimValueTypes.Boolean);
        });
});

The question is: How can I refresh this EmailVerified claim AFTER the user a confirmed his account? The only way I found was to logout / login ...

score 4 · Answer 1 · answered Sep 12 '17 at 05:05

If the information you are checking against is in the token, then yes the only way to get a new token is a new token request (aka authentication).

If you need something more dynamic, don't use data from a token.

https://leastprivilege.com/2016/12/16/identity-vs-permissions/

How to refresh claims from Identity Server 4 AFTER profile update?

1 Answers1