How to refresh the token after merging user & assigning role?

I have a post login action like so

exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';

  const { MGMT_SECRET, MGMT_DOMAIN, MGMT_CLIENT_ID } = event.secrets;
  const auth0 = require('auth0');
  var managementClient = new auth0.ManagementClient({
    domain: MGMT_DOMAIN,
    clientId: MGMT_CLIENT_ID,
    clientSecret: MGMT_SECRET,

  const existingUserAccounts = await managementClient.getUsersByEmail(

  let roles = []

  if (event.authorization) {
    roles = event.authorization.roles

  if (existingUserAccounts.length === 2) {
    const sorted = existingUserAccounts.sort((a,b) => new Date(a.created_at).getTime() - new Date(b.created_at).getTime());
    const originalUser = sorted[0];
    const newUser = sorted[1];

    const provider = newUser.identities[0].provider;
    const providerUserId = newUser.identities[0].user_id;

    originalUser.identities = await managementClient.linkUsers(originalUser.user_id, {
      provider: provider,
      user_id: providerUserId

    const assignedRoles = await managementClient.getUserRoles({id: originalUser.user_id})
    roles = assignedRoles
    event.user = originalUser

  if (roles.length === 0 &&"")) {
    await managementClient.assignRolestoUser({ id: event.user.user_id }, { roles: ['rol_uberAdmin']})
    roles = ['rol_uberAdmin']

  if (roles.length === 0 ){
    return api.access.deny(`Access to ${} is not allowed for users without a role assigned.`);
  return {

It merges the user from google if they were invited through direct email beforehand and assigns a role to the user if they are from a specific domain.

Now my issue is that the token returned from the call is the original token, ie. it doesn’t contain the role / permissions it should after the new role was assigned or the accounts merged (if the one that is being merged in doesn’t have a role).

Is there some way for force token refresh with current user data at this stage ?

seems to be assigning roles and permissions properly for passwordless users, but if the same flow is followed with users coming from the social auth the token doesn’t contain the newly assigned role or it’s permissions.

Thanks in advance!

Hey @daniel.j welcome to the community!

It looks like my colleague was able to provide a solution for this in another thread - Adding for visibility:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.