When a user logs on we get a refresh token and access token. The JWT has the roles in the object like this:
{
...
roles: [
"role_foo",
"role_bar"
]
}
These roles are inherited from the group and assigned during that initial login when it creates an active session.
Say a user logs in and creates this session and we update their group roles to be:
{
...
roles: [
"role_foo",
"role_bar",
"role_baz"
]
}
We should expect this to be the roles when a user creates a fresh session by logging in or when the user follows the refresh flow to get a new access_token. However, when a user uses a valid refresh_token the returned access_token from this refresh flow still matches the original session's grants:
{
...
roles: [
"role_foo",
"role_bar"
]
}
Am I misconfiguring something so that it gets the most up to date roles on refresh?