TL;DR: When roles are updated in an action, it is not visible to subsequent actions.
We are currently working on migrating from rules to actions, however, we are encountering a limitation and are wondering if there is a recommended approach.
Context
Previously we had two separate rules:
Assign a new role to qualified users:
a. Assign user roles via Management API
b. Update the event.authorization.roles object with new roles (so it’s available to subsequent rules)
Add all user roles to custom claims in token
Problem
The limitation with actions is that it doesn’t allow us to update the event object so that the roles are visible to subsequent actions.
Therefore, after a new role is assigned to a user in action #1, the role is not added to their custom claims in action #2.
Is there a way to achieve the above behavior we previously achieved in rules, when using actions?
The workaround for us would be to set the custom claims in the same action that assigns the new roles, but that is less than ideal.
Thank you for posting your questions; due to the event object nature, it’s currently not possible to achieve a scenario where assigning users to a role and adding them to the custom claims in the token will be split into two actions. Right now, the best option is to merge them into a single action. However, I encourage you to raise this question as a product feature request in the Feedback category. You can read our FAQ regarding submitting a feature request here: How to Submit Product Feedback or Feature Requests
To close the loop on this, this is the guidance we received directly from Auth0:
The workaround is to use the api.user.setAppmetada method, and in the last action, set the metadata fields to “undefined”, so the user profile isn’t updated). You can skip the last step if you need the new roles to stay on the user profile in auth0.