First login doesn't include permissions using post login action

Get Help
,
1

Hello,

I saw this situation happening through the forum but I couldn’t find an appropriate solution to my problem.

I have an action that assign user role after the first login.

exports.onExecutePostLogin = async (event, api) => {
    if (event.stats.logins_count !== 1) {
        return;
    }

    const ManagementClient = require('auth0').ManagementClient;

    var management = new ManagementClient({
        domain: 'MY_DOMAIN',
        clientId: 'MY_MANGEMENT_CLIENT_ID',
        clientSecret: event.secrets.CLIENT_SECRET,
        scope: 'read:roles update:roles',
        audience: 'MY_AUDIENCE'
    });

    const params = {
        id: event.user.user_id
    };
    const data = {
        "roles": ['MY_ROLE']
    };
    if (event.client.client_id === "MY_CLIENT_ID") {
        management.users.assignRoles(params, data, (err, user) => {
            if (err) {
                console.log(err.message);
            } else {
                console.log('user role assigned');
            }
        });
    }
};

Now this successfully assign the role to the user.
But on client side just after the login is performed a HTTP request is made to get the oAuth token to https://MY_DOMAIN.eu.auth0.com/oauth/token .

This token doesn’t have any permissions:

{
  "iss": "https://MY_DOMAIN.eu.auth0.com/",
  "sub": "google-oauth2|117559359790633501933",
  "aud": [
    "https://MY_AUDIENCE/",
  ],
  "iat": 1695811096,
  "exp": 1695897496,
  "azp": "yIKsGOF4X2tXr0noeTj2J9uSBcmWn8jF",
  "scope": "openid profile email offline_access",
  "permissions": [
  ]
}

But if I try to login again it will have the permissions.

How can I have the permission in the first login token response?

3

Hey there @alin.tatu welcome to the community!

Thanks for the detailed description of the issue :slight_smile:

That’s odd those permissions aren’t coming through - I am using the same Action code and registering a google-oauth2 user and I can’t seem to reproduce this :thinking: That is, the permissions are present in the access token as expected. Does this happen consistently? Are the permissions ever available?

One option/workaround is to force silent auth which would then add the permissions if they aren’t available already. Important to note, you would need to set cacheMode: 'off' in get getTokenSilentlyOptions in auth0-react for example.

4

Hi @ty.frith thanks for you answer, and sorry for the late reply.

The permissions are present only after the 2nd login, or using the refresh_token to get a new token.
But I wonder why they are not present on the access_token I get just after the 1st login?

I would prefer not to go with the silent auth methods as it will complicate my workflow.