[Bug]: userinfo endpoint returns outdated roles

[darioielardi]

What happened?

After changing, for example, the user full name or first name or any other user detail from the FusionAuth UI, if I then hit the userinfo endpoint, I get back the updated data. But if I change any user registration to add or remove any role and then hit the userinfo endpoint, I get the old roles array. I need to logout, get a new token, call the userinfo endpoint again, and then the roles array will be correct. It seems like the roles array is retrieved from the token sent with the request rather than fetching the updated one.

Version

1.40.2

Affects Versions

No response

Related

• Custom scopes with oauth #275

[robotdan]

Currently the UserInfo endpoint is returning you the roles claim from the provided access token. (JWT).

We could optionally return you the current roles instead of what is in the JWT. On one hand this seems more correct, but if you are using the UserInfo response to identify the current state of the access token (JWT) then it isn't as ideal.

Internal:

• Let's review this endpoint and in context of any changes that are coming for the custom scopes feature and see if the current behavior is as correct as it could be.

[mooreds]

Related issues:

• Invoked Lambda during the UserInfo endpiont to populate the response #1647
• /oauth2/userinfo should not be dependent on the claims in token #1582
• Ability to remove PII from api (/oauth2/userinfo, /api/user) #1475

[darioielardi]

Currently the UserInfo endpoint is returning you the roles claim from the provided access token. (JWT).

We could optionally return you the current roles instead of what is in the JWT. On one hand this seems more correct, but if you are using the UserInfo response to identify the current state of the access token (JWT) then it isn't as ideal.

Internal:

• Let's review this endpoint and in context of any changes that are coming for the custom scopes feature and see if the current behavior is as correct as it could be.

My thoughts exactly, I was wondering if there could be something like a param to configure the endpoint behavior. I'll wait for updates, thank you.

[robotdan]

After review this internally, I think the current behavior is correct, or at least it is the intended behavior.

The reason for this behavior is that we are only returning claims that exist in the access token in order to represent the current state of the access token, or what the user would have access to if you provided your service with this token.

So for the roles claim specifically, the only reason this claim is returned on this endpoint is because it exists in the access token, and we would not want to mutate this claim to be different that what was true when the access token was created and signed.

In any upcoming release we will be expanding our support for scopes. Specifically allow you to define custom scopes and then allowing the UserInfo endpoint to respond to those scopes using a lambda function.

This means, for your specific use case, if you do actually want the most current value for the roles claim, you could optionally update this claim using the lambda function. @darioielardi does this seem like a reasonable solution to you?

[darioielardi]

@robotdan Sorry for the long wait, I missed your reply somehow.

I understand the reasoning behind your decision, it totally makes sense.
I'm not sure I understand your last point tho, what do you mean by "update this claim using the lambda function"?

[mooreds]

I think he means to use the JWT populate lambda which can read roles from the registration and put them into the JWT.

[andrewpai]

We released support for custom OAuth scopes in version 1.50.0, and along with that came a new Userinfo Populate Lambda, which you can use to customize the response of the /oauth2/userinfo endpoint.

We are going to leave the default behavior as it is, as reflecting the validated claims is the intent of our current implementation.