Form breaking token with claims

Hi, I have a few actions post login. But one of those actions it’s actually calling a form to add some user meta data.
For that one I’m using this code:

exports.onExecutePostLogin = async (event, api) => {
  const FORM_ID = '*******';

  if (
      !event.user.user_metadata.nombre &&
      !event.user.user_metadata.apellido_pat
    ) {
      api.prompt.render(FORM_ID);
    }
}

exports.onContinuePostLogin = async (event, api) => {
}

And after that one I have another action on the same flow to add the claims to the access token. I’m using this code:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://***.com';
  if (event.authorization) {
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
};

But it doesn’t work when it’s the first time the user logs in (when the form renders) if the user already logged in and has its meda data complete then the form it’s not rendering and in that case the token it’s adding the claim.

I already tried many different approaches but none of them are working

Hi @busdig,

Welcome to the Auth0 Community!

This might be happening because the user’s roles were not set during the initial login. Could you clarify how you are setting the user’s roles?

Do you have a separate Action doing this?

Or are you saving the user’s roles in the user_metadata through your Form?

Thanks,
Rueben

Hi @rueben.tiow ,

Yes, I have separate actions. Each of them have the code onExecutePostLogin.

First action is rendering the form if the user meta data it’s missing
Second action is setting the role if the user doesn’t have any role assigned
Third one issues the access token with the role

But as I mentioned, it issues the token with the role only when the form is not rendering.

I’m not storing the roles in the user_metadata.

I already checked the logs but I didn’t find any issue.

1 Like

@rueben.tiow

I did some debug and looks like the event.authorization.roles it’s not updating or it may take sometime?

Could be that because it’s a new user and the event object it’s the same for all the actions? So even that I’m adding the role in an action before the action that issues the token the event object already generated it’s not getting updated.

Beacuse when I console.log event.authorization.roles gives me 0

1 Like

Hi @busdig,

Thanks for the responses.

Yes, that’s correct. The event.authorization.roles only returns the roles assigned to the user before the initial login event. This is why you were not able to append the role as a custom claim until subsequent logins.

In this case, I recommend combining your second and third actions as one. This way, you can assign the role to the user and append it as a custom claim at the same time.

To get the role name, you could use the Management API to request the current role name or hardcode it as a variable. (Reference: RolesManager | auth0)

Let me know if you have any questions.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.