Management API delete user inconsistent role deletion

We are using the Management API to sync Users in an Auth0 Database with our internal Database. Therefore we create and delete Users in Auth0 using the Management API, we also assign Roles to the users on after creation. We observed a bug, where users lost their role after some time after hey have been created and assigned the role. Immediatly after Creating the user, they are able to login and get an access token with the scopes assiged from the role. But 24 hours later the access token does not contain the scopes any more and the role is not assigned to the user anymore. But we do not call any Management API to remove the role and in the Auth0 Log there is no log that indicates, that the role was removed from the user.

This only happens if the user already existed before in Auth0 Database and is deleted via the Management API shortly before it is recreated via the Management API.
How to reproduce:

  1. Create User using management API
  2. Assign User a role using the Management API
  3. wait
  4. Delete User using Management API
  5. Create the same user(same user_id) again using Management API
  6. Assign the User the role again
  7. User password and username to get an access token
  8. verify access token has scopes from role
  9. wait some time
  10. get new access token with user password and username
  11. verify access token has scopes from role

step 11 fails sometimes, we think this is a race condition in the deletion and creation of the user and therefore can only be reproduced sometimes.

I can provide Auth0 Audit logs which show this behavior

Hey there @Legion2 thanks for reporting this, I’m going to attempt to reproduce this myself and will report back :saluting_face:

Hey there @Legion2 just following up on this again in testing - How are you adding roles/role permissions to access tokens? Does the role itself remain assigned to the user and the issue is strictly to do with the role/role permissions in the access token?

Let us know!

Hi, the role is added via management API and is mapped to scope claim in the access token. When in step 11 the access token does not have the scopes anymore, also the role is not assigned to the user anymore.

Any update on this issue. I am also expriencing the same problem. Any resolutions.

No there is no update, however I discovered a related issue during user migration. We migrated Auth0 users from one auth0 database to another auth0 database. We created a script which imports the users and also imports the roles of the users in the new database. After we deleted the old auth0 database all roles for the new users where lost. I think this is because the users in the new and old database have the same id and so the roles associated with the users in the new and old database where technically the same, and when the old users where deleted, it auth0 automatically deleted the roles for the users and thereby also deleted the new roles of the new users.