How to pre-assign roles to a user based on user emails with Authorization Extension?

andre.hermanto93 · June 4, 2019, 2:27am

Hi,

I would like to pre-defined roles to some users based on the email list I have, so that whenever that person register an account it would automatically assigned to a role if their email match with one of my email list.

I’m using Authorization Extension to manage roles. Can anyone help me how to do this?

Cheers,
Andre

andre.hermanto93 · June 5, 2019, 6:19am

Can anyone help regarding this topic please?

I tried using rules to call authorization extension API to add user to a role, the problem with this method is that user who just register will not immediately get the access, instead the role will only appear after the 2nd login.

I also tried using hooks, I tried both post-registration and pre-registration.

For post registration, I don’t know why but my script to use the authorization extension API seems not executed properly. I can see from the log the it is indeed calling the API to assign the role to the user, but the user permission is not updated.

For pre registration, I can’t use it because in pre-registration script user_id does not exist, and this is needed for calling auth extension API for adding user to roles.

yan.gao · July 20, 2023, 7:07pm

I encountered same issue, any solution to that?

yan.gao · July 20, 2023, 7:17pm

But instead of using rules. I was using action in onExecutePostLogin. I get log saids:

Which in first login that happens right after user signup, it failed. (although Assign roles to a user is happen before login fail, my guess will be it uses the old token with no role to attempt the login)Then If I try login again, it will work since the role is assigned. I guess there’s some state missmatch, I want to know if there’s solution to address this so use can login right after they signup

exports.onExecutePostLogin = async (event, api) => {
  event.user.app_metadata = event.user.app_metadata || {};
  if (event.user.app_metadata.INITIAL_ROLE_ASSIGNED) return; 
  // Do initial signup stuff (role assignment) here
  const ManagementClient = require('auth0').ManagementClient;

  const management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.client_id,
      clientSecret: event.secrets.client_secret,
  });
  const params =  { id : event.user.user_id};
  const all_application_access_role = { "roles" : ["rol_3x1T5kuIDdkKQJQu"]};

  try {
    // if user email end with @****.com, assign all application access
    if (event.user.email && event.user.email.endsWith("@****.com")) {
      const res = await management.assignRolestoUser(params, all_application_access_role)
    } 
  } catch (e) {
    console.log(e)
  } 

  api.user.setAppMetadata('INITIAL_ROLE_ASSIGNED', true);
};