Setup Overview
- App 1 :
- Hosted in Auth0 Tenant A .
- This is the app users directly log into.
- App 2 :
- Hosted in a different Auth0 Tenant B .
- App 2 will be integrated somehow with App 1.
- Federation:
- We have configured OIDC connections in Tenant B to accept logins from Tenant A.
- These OIDC connections are working, and the user is automatically created in Tenant B upon login.
- The API in Tenant B has RBAC enabled with “Add Permissions in the Access Token”
- Authentication Flow:
- User logs in to App 1 (Tenant A).
- App 2 silently authenticates via OIDC connection in Tenant B.
- First login successfully creates the user in Tenant B and issues a token.
The Challenge
We need to assign specific roles to these users in Tenant B and the roles exist in Tenant B(because those roles are applicable for the App 2), such that:
- The roles are applied during their first login to Tenant B.
- The resulting access token includes the expected permissions derived from those roles.
We understand that roles can be assigned inside a Post-Login Action, but:
- The role assignment does not take effect immediately in the current access token.
- The permissions are missing in the first token returned to the user.
- On subsequent logins, the correct roles and permissions may appear in the token.
Our Question
What is the recommended best practice for assigning roles (and having their permissions reflected in the access token) during first-time login via an OIDC connection?
We are exploring the following workarounds, but are unsure of their long-term reliability or support:
- Adding custom claims manually in the Action based on connection or domain.
What We Need
- A supported and reliable approach for:
- Assigning roles to users federated via OIDC connections during their first login.
- Ensuring that access tokens reflect those roles/permissions immediately if possible.
- Clarification on whether Auth0 supports:
- Immediate token enrichment after role assignment in an Action.
- Hooks or pre-user creation logic that could assist here.