Issue with Role Assignment and Token Permissions on First Login via OIDC Federated Connection (Cross-Tenant Setup)

Setup Overview

  • App 1 :
    • Hosted in Auth0 Tenant A .
    • This is the app users directly log into.
  • App 2 :
    • Hosted in a different Auth0 Tenant B .
    • App 2 will be integrated somehow with App 1.
  • Federation:
    • We have configured OIDC connections in Tenant B to accept logins from Tenant A.
    • These OIDC connections are working, and the user is automatically created in Tenant B upon login.
    • The API in Tenant B has RBAC enabled with “Add Permissions in the Access Token”
  • Authentication Flow:
    • User logs in to App 1 (Tenant A).
    • App 2 silently authenticates via OIDC connection in Tenant B.
    • First login successfully creates the user in Tenant B and issues a token.

:warning: The Challenge

We need to assign specific roles to these users in Tenant B and the roles exist in Tenant B(because those roles are applicable for the App 2), such that:

  • The roles are applied during their first login to Tenant B.
  • The resulting access token includes the expected permissions derived from those roles.

We understand that roles can be assigned inside a Post-Login Action, but:

  • The role assignment does not take effect immediately in the current access token.
  • The permissions are missing in the first token returned to the user.
  • On subsequent logins, the correct roles and permissions may appear in the token.

:red_question_mark: Our Question

What is the recommended best practice for assigning roles (and having their permissions reflected in the access token) during first-time login via an OIDC connection?

We are exploring the following workarounds, but are unsure of their long-term reliability or support:

  • Adding custom claims manually in the Action based on connection or domain.

:white_check_mark: What We Need

  • A supported and reliable approach for:
    • Assigning roles to users federated via OIDC connections during their first login.
    • Ensuring that access tokens reflect those roles/permissions immediately if possible.
  • Clarification on whether Auth0 supports:
    • Immediate token enrichment after role assignment in an Action.
    • Hooks or pre-user creation logic that could assist here.

Hi @preethamgowda,

Welcome to the Auth0 Community and sorry for the delayed response!

You can assign roles to users on their initial login and append them to the Id or Access Token by using a Post-Login Action as described in this community article - Add Roles and Permissions to the ID Token Using Actions.

The changes however will be noticed only on a subsequent login, given the nature of the event object from within the Action. A more detailed explanation can be found from this post - Roles custom claim is empty after roles are set on user creation (via auto-import). So the workaround would be performing a silent authentication request to get the updated token set.

Hope this helps!
Thanks,
Remus