Changing Claims of an already authenticated User?

Question

Is there any way we could pass extra parameters to the signinsilent / silent refresh call from oidc-client based on which I could add extra claims to the access token?

Basically we have resource servers and authorisation server ( identity server 4 setup) which deals with both identity Managment and authorization). Our product is an Angular app and we call APIs using access tokens and we are using oidc-client on client side. We use silent renew to renew the token on client side.

In our application user can have access to multiple organization and in each organization use can have different roles. Currently when user logs in I am adding roles of default organization as role claims. When user switch to other organization I need to refresh claims with new organization roles. I am using implicit flow.

Please help me out with suggestions.

Answer 1

To follow the oidc protocol you can use something like &acr_values=tenant:your-org in the tail of your query, then handle that on IdSrv side. This answer to a similar question could help.

And you do not have to embed that into the existing silent refresh triggering logic. You may construct your new auth request yourself, just keep the redirect_uri to silent-refresh.html. In general that's it.