Adding role object to token not working after user registers but works after they re-authenticate

I have free auth0 account and it’s great. I have it integrated with my react application and it’s working fine. I have 2 actions defined and here is what each of them does.

1st action that runs inside ‘Post-Login’ trigger: Assign ‘User’ Role to everyone that registers to my application via auth0.

the code for the action is below

exports.onExecutePostLogin = async (event, api) => {
  if (event.stats.logins_count !== 1) {
    return;
  }

  const ManagementClient = require('auth0').ManagementClient;

  const management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret,
  });

  const params =  { id : event.user.user_id};
  const data = { "roles" : [event.secrets.UserRoleID]};

  try {
    await management.users.assignRoles(params, data);
  } catch (e) {
    console.log(e);
  }
};

The code works fine and every user that registers does indeed get assigned the ‘User’ role that i have created in auth0

2nd action, creates a role property and attaches it to the user token that auth0 issues. ( this runs directly after the 1st action above also in on post-login trigger )

Code for 2nd action below

exports.onExecutePostLogin = async (event, api) => {
  const namespace = "https:/my-cool-name-space";
  const assignedRoles = event.authorization?.roles || [];
  api.idToken.setCustomClaim(`${namespace}/roles`, assignedRoles);
};

The issue that i’m seeing is that when a user register and in auth0 i can see them having the ‘user’ role, but in my react app when i am using auth0 Provider and extracting the user object from auth0 i am not seeing the roles in there on the VERY FIRST TIME THEY REGISTER AND AUTHENTICATE In my app.

If they logout, and logback in, i can see the roles object and i am able to extract it in my code and work with it…

I have tried the following
Making the action to work inside ‘Post-registeration’ trigger but that didn’t seem to work at all. i couldn’t even see the role being assigned in auth0.

I have tried adding both of the actions into 1 but that also didn’t send the roles property in the user object the first time.

Is there anything i’m missing ?

NOTE: I do see the role property but it’s empty. Which leads me to think there is a race conditon between my 1st action trigger and the 2nd one, where the user gets assigned the role but the token is already generated and doesn’t have the roles in it so therefore it defaults to the empty array i have defined.

I have tried refetching a token silently from my react client app but that didn’t also work.
The only way it works is if i log out and log back into my app…

Any guidance on this would be greatly apprecaited!

Hi @fayezrahman

Welcome to the Auth0 Community!

Could you please try changing the namespace to something different than /roles?

As mentioned in our documentation, roles is part of claim restrictions. You could try renaming it to /userRoles.

Let me know if you still have issues!

Kind Regards,
Nik

It works with roles, however my issue was that on the first login (registering for first time ) the user was actually getting the roles assigned to them ( as i can inspect that in the Auth0 User Management dashboard ) however the 2nd trigger which it actually assigned the roles to the user in the token was not being set ( only the first time )

subsequent logins did have it, so it’s not a restricted name issue.

Hi again!

Sorry! It appears that somehow I missed the part where the user is assigned the role and only visible after re-authentication!

That would be expected behaviour, the token retrieved after an authentication/registration event will not contain the role since it has been assigned to the user after the task was completed. You would need to refresh the token inside the application so that the new one retrieved contains the roles or the user would need to re-authenticate to include it unfortunately.

If you have any other questions on the matter, let me know!

Kind Regards,
Nik

I’ve tried retrieving a new token in the application but it didn’t seem to have the roles either…

the current workaround i have is the following

1 action in the on-post trigger that basically checks if the user has never logged in ( first time registering ) then it assigns a hardcoded ‘user’ role as a custom claim to the token

after that i call the management API to actually assign the role to the user so that it’s attached forever ( in the auth0 dashboard )

then another if condition check if the user has logged in before an they have roles attached to their profile
event.authorization.roles

then i just assign a custom claim called roles to their token and then i retrieve it all in my app.

The reason i wanted to get it the first time around is because i have custom protected route that will check if the user is entitled to view the component that i’m rendering based on their role