First login doesn't include permissions using post login action


I saw this situation happening through the forum but I couldn’t find an appropriate solution to my problem.

I have an action that assign user role after the first login.

exports.onExecutePostLogin = async (event, api) => {
    if (event.stats.logins_count !== 1) {

    const ManagementClient = require('auth0').ManagementClient;

    var management = new ManagementClient({
        domain: 'MY_DOMAIN',
        clientId: 'MY_MANGEMENT_CLIENT_ID',
        clientSecret: event.secrets.CLIENT_SECRET,
        scope: 'read:roles update:roles',
        audience: 'MY_AUDIENCE'

    const params = {
        id: event.user.user_id
    const data = {
        "roles": ['MY_ROLE']
    if (event.client.client_id === "MY_CLIENT_ID") {
        management.users.assignRoles(params, data, (err, user) => {
            if (err) {
            } else {
                console.log('user role assigned');

Now this successfully assign the role to the user.
But on client side just after the login is performed a HTTP request is made to get the oAuth token to .

This token doesn’t have any permissions:

  "iss": "",
  "sub": "google-oauth2|117559359790633501933",
  "aud": [
  "iat": 1695811096,
  "exp": 1695897496,
  "azp": "yIKsGOF4X2tXr0noeTj2J9uSBcmWn8jF",
  "scope": "openid profile email offline_access",
  "permissions": [

But if I try to login again it will have the permissions.

How can I have the permission in the first login token response?

Hey there @alin.tatu welcome to the community!

Thanks for the detailed description of the issue :slight_smile:

That’s odd those permissions aren’t coming through - I am using the same Action code and registering a google-oauth2 user and I can’t seem to reproduce this :thinking: That is, the permissions are present in the access token as expected. Does this happen consistently? Are the permissions ever available?

One option/workaround is to force silent auth which would then add the permissions if they aren’t available already. Important to note, you would need to set cacheMode: 'off' in get getTokenSilentlyOptions in auth0-react for example.

Hi @tyf thanks for you answer, and sorry for the late reply.

The permissions are present only after the 2nd login, or using the refresh_token to get a new token.
But I wonder why they are not present on the access_token I get just after the 1st login?

I would prefer not to go with the silent auth methods as it will complicate my workflow.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.