Best way to add a 'default role' to a new user for a given client

I recently researched how to best add a default role to a new user who is using a particular client. Specifically, a user that either just signed up, or was imported from a legacy database. IOW, the user just logged in or signed up for the first time, and is doing so using client “Foo”

To get this behavior to occur, I ended up doing the following, which appears to work well, but is not as elegant as I would like. I used rules (not Hooks) to implement this:

Rule1 - auth0-authorization-extension (auto-added when I installed the authorization extension). This rule ensures that any existing groups/roles/permissions are present in the app_metadata

Rule2 - Client Foo - set default role on new user:

  1. this is a custom rule
  2. check to see if client is “Foo”, of not, exit rule
  3. if user does not have the default role (in app_metadata), call Auth0-authorization-extension to add the role
  4. if role added successfully, “context.roleInitialized = true”
  5. exit

Rule3 - Client Foo - if new role added, re-initialize authorizations

  1. check to see if client is “Foo”, of not, exit rule
  2. if context.roleInitialized !== true, exit rule
  3. re-run all the generated JS code that is in “auth0-authorization-extension”. IOW, I just manually copied this rule from above, and added an initial “if()” to make sure the client is Foo & new role was just added

So, rather than doing this logic in a webhook (which I thought made better sense conceptually, and was cleaner), I did it in rules. The reason I did not do it in the “Pre User Registration” hook was that this hook (per the doco) does not know what client initiated the user signup or import. There may be other reasons why this hook would not work, but that initial reason (not knowing the client) was my signal to use rules instead.

To be clear, Rule3 is there so that the (new) role & corresponding permissions will be in the generated access_token. Without Rule3, the user is ‘added to the role’, but the access_token doesn’t have the role/permissions (which is the whole point so to speak)

Any advice as to a better way?

Hi Joe, not really answering your question because I have the same issue of adding a default role :frowning: … By any chance you can share how you did step 2 rule and 3, adding the role to the user calling the extension API ?, I just added to the return token but obviously is not getting all appropiate permissions related to the role.

Thanks in advance