We are using the Management API to sync Users in an Auth0 Database with our internal Database. Therefore we create and delete Users in Auth0 using the Management API, we also assign Roles to the users on after creation. We observed a bug, where users lost their role after some time after hey have been created and assigned the role. Immediatly after Creating the user, they are able to login and get an access token with the scopes assiged from the role. But 24 hours later the access token does not contain the scopes any more and the role is not assigned to the user anymore. But we do not call any Management API to remove the role and in the Auth0 Log there is no log that indicates, that the role was removed from the user.
This only happens if the user already existed before in Auth0 Database and is deleted via the Management API shortly before it is recreated via the Management API.
How to reproduce:
- Create User using management API
- Assign User a role using the Management API
- wait
- Delete User using Management API
- Create the same user(same
user_id
) again using Management API - Assign the User the role again
- User password and username to get an access token
- verify access token has scopes from role
- wait some time
- get new access token with user password and username
- verify access token has scopes from role
step 11 fails sometimes, we think this is a race condition in the deletion and creation of the user and therefore can only be reproduced sometimes.
I can provide Auth0 Audit logs which show this behavior