Change claims value while keeping user logged in c# web api and jquery client

Question

I have a web application which has different shift types that are accessed either by set users in the database for each shift. Or you can log in as a basic requester with your active directory account.

It's using OAuth token based authentication and when the user logs in its saving a shift type value passed from the shift originally selected.

identity.AddClaim(new Claim("shiftType", shiftID.ToString())); 

Database users can only access the shift they're assigned to, however I'd like AD users to be able to flip between shifts where its allowed. There are some shifts which for example if you logged in on shift 1, can view shift 2 but not 3. If someone wants to change from shift 1 and start viewing 2, how can I go about calling the API from Javascript and update the shiftType claim while keeping the user logged in and that update be found when accessing the APIs after. As I do checks on the controllers to make sure that the claim value is allowed to view a controller.

Thanks

Answer 1

You can go with Token Exchange. Even if you have your own backend which issues tokens, it will not be difficult to implement this standard. Your case is one that fits very well with Token Exchange - your client has an access token with a set of given claims, but needs an access token with a different set of claims. You will send the access token to the exchange endpoint, and the Authorization Server / backend will decide whether it can change claims for this user. If so, a new token will be issued and signed and returned to the client. This can still be the same user's token, so there will be no need to log the user in again.