I've implemented the RoleChangedDetectorService and if I change the roles assigned to a user it seems to take immediate effect which is great. However, if I edit the permissions enabled in a role this doesn't seem to trigger an update to logged-in users claims.
It seems to identify users that will be impacted (i.e. users belonging to that role) but it doesn't actually cause their claims to be updated (until the user logs out and back in). Am I missing something?

Additionally, if I edit the tenant a user belongs to, the user's data key in their claim does not get updated (until logout/login).
Is this by design? The TenantKeyOrShardChangeService only looks to detect changes to the Tenant Hierarchy, not changes to an individual user's tenant.

I've implemented the various change services as per your examples, so my understanding is it shouldn't be necessary for the user to logout and log back in again for changes to their account to become effective. Specifically I've implemented: GlobalChangeTimeService, SomethingChangedCookieEvent, RoleChangedDetectorService and TenantKeyOrShardChangeService.

Thanks in advance and apologies if I'm missing something obvious.

Hi @TheObliterator,

I've implemented the RoleChangedDetectorService...

When EF Core context.SavingChanges event doesn't capture a new entity being added. You need to use the ChangeTracker.Tracked or ChangeTracker.Tracked event. I found this when I was writing the the Entity Framework Core in Action - I found it rather odd but the EF Core team said that's how it works. That's also why I called the class RoleChangedDetectorService.

if I edit the tenant a user belongs to, the user's data key in their claim does not get updated...

Updating a claim of a logged in user is an known ASP.NET Core issue, and its hard to do it well. I tried a various ways to do this, but I finally found a solution that works with minimal effect on performance. Have a look at the article ASP.NET Core: Three(+1) ways to refresh the claims of a logged-in user.

Thanks. Yes, that documentation has been very helpful already.

Am I correct in thinking your RoleChangedDetectorService doesn't monitor changes to Role Permissions? i.e. When Role A has a new permission enabled or an existing permission disabled? Rather it just monitors when User's roles are changed? i.e. John Doe had role A but is later granted Role B as well? I'm slightly confused because if I update the enabled permissions in a role, the service appears to identify all users using that role (placing them in the cache) - but their permissions don't immediately change (i.e. still requires logout/login).

I've looked at TenantKeyOrShardChangeService in more detail and now understand its only concerned with an entire tenant being moved - not a user changing tenant as I first thought. I should be able to create my own UserTenantChangedService using the the documentation/examples you provide.

Thanks once again for your help and such a useful library.

The RoleChangedDetectorService class detects changes to the permissions, and the users that are are effected by the permissions change, and then caches these changes in a global cache. The other part can be seen in the UpdateRoleClaimMiddleware (found in Example2), which updates the Permissions claim. This is using approach 2 in the ASP.NET Core: Three(+1) ways to refresh the claims of a logged-in user article.

I hope that helps.