[docs-only] Claim update process (proxy service readme)

services/proxy/README.md

@@ -128,6 +128,14 @@ somewhat costly operation, especially if the user is a member of a large number
 groups. If the group memberships of a user are changed in the IDP after the
 first login, it can take up to 5 minutes until the changes are reflected in Infinite Scale.
 
+### Claim Updates
+
+OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name or picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request, depends on which user attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in an ID Token.
+
+Claims cant get updated automatically in Infinite Scale when there is a change in the IDM (identity management). JWT tokens generated by the IDP (OpenID Connect provider) requested by Infinite Scale, are immutable, means they reflect the IDM claim state when issued. Therefore you can't change or update claims on existing tokens. To provide updated claim information for users in Infinite Scale, a new immutable token must be requested. This especially affects claim changes like changed user details or group names and applies for users individually.
+
+Because there are many ways to implement expiry and handling of access and refrash tokens, only the general advice to (re)log in to get updated claim information can be given. This also applies for connected apps like the Desktop, iOS or Android app!
+
 ## Automatic Quota Assignments
 
 It is possible to automatically assign a specific quota to new users depending on their role.