How do I add a default role & permissions to a user?

Continuing the discussion from How do I add a default role to a new user on first login?:

Following this discussion, I implemented the rule to add the default role.

This will however only add the granted permissions when the user logs in a second time.

How can I make sure that the user gets his role & permissions even in the first logins token?


I have the same problem. Have you found a solution yet?

I’ve found an ugly hack, but not really a solution: The client has to immediately refresh on first login. The second token will be correct.

I’m also looking for a solution that will include the permissions in the access token on first login without forcing the client to refresh the access token. @dan.woda Are you able to assist and update the FAQ?

There are several threads on this topic with no clear answer:


You will have to force a token refresh on first login to get the role’s permissions in the AT. You should be able to do this silently without the user providing credentials.