Limitation in Rules => Actions Migration: Assign New Roles + Set Custom Claims

TL;DR: When roles are updated in an action, it is not visible to subsequent actions.

We are currently working on migrating from rules to actions, however, we are encountering a limitation and are wondering if there is a recommended approach.

Context

Previously we had two separate rules:

  1. Assign a new role to qualified users:
    a. Assign user roles via Management API
    b. Update the event.authorization.roles object with new roles (so it’s available to subsequent rules)
  2. Add all user roles to custom claims in token

Problem

The limitation with actions is that it doesn’t allow us to update the event object so that the roles are visible to subsequent actions.

Therefore, after a new role is assigned to a user in action #1, the role is not added to their custom claims in action #2.

Is there a way to achieve the above behavior we previously achieved in rules, when using actions?

The workaround for us would be to set the custom claims in the same action that assigns the new roles, but that is less than ideal.

1 Like

Hi @KIP

Welcome to the Auth0 Community!

Thank you for posting your questions; due to the event object nature, it’s currently not possible to achieve a scenario where assigning users to a role and adding them to the custom claims in the token will be split into two actions. Right now, the best option is to merge them into a single action. However, I encourage you to raise this question as a product feature request in the Feedback category. You can read our FAQ regarding submitting a feature request here: How to Submit Product Feedback or Feature Requests

Thanks
Dawid

1 Like

To close the loop on this, this is the guidance we received directly from Auth0:


The workaround is to use the api.user.setAppmetada method, and in the last action, set the metadata fields to “undefined”, so the user profile isn’t updated). You can skip the last step if you need the new roles to stay on the user profile in auth0.

Step#1: Action1 Sets AppMetdata via api.user:

exports.onExecutePostLogin = async (event, api) => {
api.user.setAppMetadata('new_roles', 'some:value');
};

Step#2: Action2 and subsequent executed actions can read the values in the event.user object:

exports.onExecutePostLogin = async (event, api) => {
console.log(event.user.app_metadata.new_roles);
};

Step3#: Auth0 will not update the user profile if the metadata fields are set to undefined :

exports.onExecutePostLogin = async (event, api) => {
api.user.setAppMetadata('new_roles', undefined);
};