Assign permissions using Actions Post User Registration flow

I have a regular web application where i make calls to the auth0 api, with a registration on auth0 database that went well and i got to register a user calling the api and assigned a permission by calling the management api on the node backend.

The challenge was that social login users come with an access token without permissions, so i figured if i use actions to assign a permission once the social login user is created that would solve my problem.

But when i tried the actions approach described here nothing would happen, no commands were executed with this implementation:

exports.onExecutePostUserRegistration = async (event) => {
  
  const ManagementClient = require('auth0').ManagementClient;

  var management = new ManagementClient({
      domain: event.secrets.CLI_DOMAIN,
      clientId: event.secrets.CLI_CLIENT_ID,
      clientSecret: event.secrets.CLI_CLIENT_SECRET,
      audience: event.secrets.CLI_MGMT_AUDIENCE,
      scope: 'update:users'
  });

  const params =  { id : event.user.user_id};
  var data = { "permissions" : [{"permission_name" :"app:user" ,"resource_server_identifier" :"https://app.development.com" }]};

  management.assignPermissionsToUser(params, data, function (err) {
    if (err) {
      // Handle error.
      console.log(err);
    }
    console.log('permissions assigned');
    // User assigned permissions.
  });
};

I’m only working with permissions since the app is simple enough.

Hi @kaluk1321,

Welcome to the Auth0 Community!

I understand you are trying to use a Post-Login Action to assign permissions to your users.

After looking through your code, everything checks out and looks correct.

Given that, could you please clarify if you have already created the permissions you specified in the request? Namely “permission_name” : “app:user” and “resource_server”:“https://app.development.com”?

I am looking forward to your reply.

Thank you.

Hello @rueben.tiow , it is a Post User Registration Action to assign permission to users.

I have created this specific permission (tab permissions on the custom api) “app:user” on the specific resource server (Custom API - audience): https://app.development.com

It is important to note that on the node server, connecting to the management api and sending the permission works great.

If it’s a social login being done and the account being created on users does that mean that Post User Registration doesn’t really work with this flow and i should be using a Post Login action?

I don’t think a Post Login action would help in this case.

Hi @kaluk1321,

Thank you for your response and clarification.

My apologies for thinking it was a Post-Login Action in your initial message.

Yes, in this situation, a Post-Login Action is needed to work around since signing up and logging in works the same for Social Connection users. The Social Login button redirects the user to the IdP(e.x Google) to authenticate before being redirected back to Auth0.

Because of this, there is no way to utilize a Post-User Registration Action to assign permissions to Social Connection Users. Moreover, using a Post-User Registration Action will only work with Database and Passwordless users as described in our documentation here.

In this case, you must resort to using a Post-Login Action script to assign permissions to Social Connection users. If you intend to assign the permissions only once, I recommend setting a user_metadata value to check if the user has permissions assigned previously.

For example:

exports.onExecutePostLogin = async (event, api) => {
  
  const ManagementClient = require('auth0').ManagementClient;
  if(!event.user.user_metadata.assigned_permissions){
    var management = new ManagementClient({
        domain: event.secrets.CLI_DOMAIN,
        clientId: event.secrets.CLI_CLIENT_ID,
        clientSecret: event.secrets.CLI_CLIENT_SECRET,
        audience: event.secrets.CLI_MGMT_AUDIENCE,
        scope: 'update:users'
    });

    const params =  { id : event.user.user_id};
    var data = { "permissions" : [{"permission_name" :"app:user" ,"resource_server_identifier" :"https://app.development.com" }]};

    management.assignPermissionsToUser(params, data, function (err) {
        if (err) {
        // Handle error.
        console.log(err);
        }
        console.log('permissions assigned');
        api.user.setUserMetadata("assigned_permissions", true)
        // User assigned permissions.
    });
   }
};

Please let me know how this works for you.

Thanks!

1 Like

That worked really well to solve the problem permissions not being assigned to social login users. For some reason i forgot that this action happens before it generates a token so that’s why at first i thought it would not work. But now the user logs in with google and the permission comes in the token, this way i can validate it via guards as it was with the password flow for database users.

Thank you very much!

1 Like

Hey @kaluk1321,

I’m glad that this works out for you!

Please reach out if you have any additional questions. I’d be happy to help.

Thank you.

@rueben.tiow actually i thought it was not working but what actually happened is that on the first login the permission is not coming at all. It seems the action assign the permission to the user but the token doesn’t actually come with the permission i assigned on first login.

I have to make a request to get another code to use the authorize flow again, then it comes with the permission i assigned on the first login. Is there a way to solve this issue?

Going by the idea of Post Login Action, that i placed it before it generates a token i thought the token would already include the permission i assigned even if it was the first login.