We are using IdentityServer3 to authenticate our users. We run it on a separate web application to the main application API. There is a hierarchy of claims - for example, sites, factories and equipment. It is possible for a user to have a claim for a piece of equipment that is at a factory, but not have a claim for the entire factory, or the site.
The distribution of claims is handled by means of a background job.
When a user creates a site, factory or equipment a claim is created for them, this may have also been distributed to other users.
When a request comes into the engine API we need to be sure we're looking at the most up to date set of claims for the current user.
Is there any way to guarantee that the most recent claims are sent to the API each time?
If the data you need changes that frequently, then the advice is to not put them as claims in a token or in a cookie. Instead just put the user's unique id (sub claim) in the token or cookie, and then lookup the rest from the DB as needed. If perf is a problem, then do caching.
来源:https://stackoverflow.com/questions/37571337/refreshing-claims-without-refreshing-token