Assigning default role(s) to new users

I’d like to assign a Role to users that sign up with my application.

My setup is a SPA that uses the WebAuth API. I have user roles and scopes coming from various APIs defined in the Auth0 dashboard. On the frontend, the scopes come from the accessToken.permissions field. I am not using the authorization-extension.

At the moment, I have to manually assign roles to users that sign up for my application. This is obviously not optimal because it’s a manual process. How could I assign roles to new users?

I’ve looked through all the questions and documentation and I can’t find a way to do this. I’ve also tried using the “Set roles to a user” Rule but I haven’t been able to make it work (aka the accessToken.permissions never reflect my changes.



Hello, have you found a solution for this problem?
This one looks promissing however it uses extension and I’m not sure yet will it work in our case:

Hi @RandomStranger! I haven’t found a solution that works without refactoring everything to use the Authorization extension. The article you posted looks helpful though, thank you!

Hi @deammer

I have managed to pull this off by leveraging the management API from within my rule.

From within the rule you’ll need to do a client credentials grant - to get a token that has access to the management API.

Here is an example of that:

function getAccessToken() {
      "https://" + auth0.domain + "/oauth/token",
        grant_type: "client_credentials",
        client_id: configuration.MGMT_API_ID,
        client_secret: configuration.MGMT_API_SECRET,
        audience: "https://" + auth0.domain + "/api/v2/"
      { headers: { "content-type": "application/json" } }

With that access token, you can assign roles to users. Here is a sample of that:

 function assignRole(userId, roleId, accessToken) {
      { roles: [roleId] },
        headers: {
          "cache-control": "no-cache",
          authorization: `Bearer ${accessToken}`,
          "content-type": "application/json"

The current rule authorization context (context.authorization.roles) will not have the newly assigned role(s), but you can mutate the context so any subsequent rules will have the correct roles within the authorization context.


The context will also be missing permissions associated with that role - not sure how to handle that…

Hope this helps!


Thanks for sharing, @harmoN! That’s an interesting way to mutate the authorization context, but it doesn’t do exactly what I want.

I’d like to permanently (aka not just within the context of Rules) assign roles to users and thus grant them the related API scopes.

Here’s an example setup:

  • an Auth0 SPA that handles authentication
  • an API called “Product API” with the scopes read:product, create:product, delete:product
  • a “Viewer” role that has the read:product permission
  • an “Admin” role that has all the permissions

I’d like to automatically assign the “Viewer” role to everyone that signs up for my app and thus give them the read:product permission (this is a simplified use case).


I am only mutating the context so that initial login works, and the first token issued properly includes the users default roles (Auth0 Roles). Otherwise they would have to login again to have their roles in the context.

In my first rule - I have a condition that checks if context.authorization.roles.length === 0 - which means it is their first login and have not been assigned the default role. (could probably also check if loginCount === 0) - that is when the rule executes the above example functions which hits the Auth0 management API to permanently assign that user to a default role, or any other roles


Hello harmoN,
I need to do exactly the same thing but I’m not an expert in javascript. Can you provider the entire rule please ?

Hi @remy1

In this post there are two example rules to do that - Assign Roles to users using Rules

@deammer @remy1 @harmoN - I’m trying to understand your needs for default roles to see if it’s something that we need to bring into core instead of relying on rules to do it.

Are you assigning the same role to every user or does it depend on a given condition ? In @deammer example, if every user is supposed to be able to read products, wouldn’t it be simpler to just require the user to be authenticated to view products instead of putting it behind a permission ?



Hi @Marcos_Castany,

My use case is to differentiate internal vs external users, also to assign access to applications.

Users logging in with a particular email domain through azure AD get assigned the ‘INTERNAL’ role, where everyone else is assigned a ‘CUSTOMER’ role.

Also, access to particular auth0 clients(applications) I am doing through roles - applications have a metadata property that corresponds to a role that is required to access the application. (there may be a better way to solve this problem, but is what i came up with)
So if i know who should have access to an application - a rule could assigns them access to those applications (roles) by default when they first login.

Great. Thanks for the details.

One more question. Would it be fair to say that all the users that are assigned the INTERNAL role are coming from an Azure AD connection and all the CUSTOMERS come from other connections ? (so there’s no CUSTOMER coming from the specific AD connection that contains INTERNAL users)

Yes that is correct.
There may be other AD/DB connections that belong to CUSTOMERS, only one specific AD connection for INTERNAL users.