Add Auth Core Role on Automatic User Migration

Thanks for the quick reply, Dan

We ended up taking a different approach in the short term so I deleted my rule :confused: But, we need to make this happen eventually. What I was using is a simplified version of the same code as this other post:

function (user, context, callback) {

  // Roles should only be set to verified users.
  if (!user.email || !user.email_verified) {
return callback(null, user, context);
  }
  
  // short-circuit if the user signed up already or is using a refresh token
  if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token') {
return callback(null, user, context);
  }
  
  const getRolesForUser = (user) => {
const roles = [
  'rol_XXXXXXXXXXXX' // default
];
try {
  const emailDomain = user.email.split('@')[1].toLowerCase();
  switch (emailDomain) {
    case 'somedomain.com':
      roles.push('rol_XXXXXXXXXXXX');
      break;
    // More custom rules here
  }
  return roles;
} catch (e) {
  console.error(e);
  return [];
}
  };
  
  const roles = getRolesForUser(user);
  
  // Role management was introduced in 2.17.0.
  // 2.17.1 intermittently returned package not found error.
  // Unspecified version didn't support roles, so must be earlier than 2.17.0
  var ManagementClient = require('auth0@2.17.0').ManagementClient;
  var management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
  });
  
  // Update the user's roles
  management.assignRolestoUser({ id : user.user_id }, { roles: roles }, (err) => {
if (!err) {
  console.log('Roles [' + roles.join(', ') + '] assigned to user [' + user.email + ']');
} else {
  console.error(err);
}
return callback(err, user, context);
  });
  
} 

It does work - the user migration from SQL happens, it properly adds the role, but the “permissions” array does not get populated on the JWT token when “Add Permissions in the Access Token” is turned on.

On the subsquent login, the permissions array is filled as expected.

Any ideas there?

And as sort of a follow-up, would there be any good way to pull this off with role names instead of ids? I suppose you could make an initial call to get all the roles.

Thanks for any help / thoughts!