Access Denied and Error Description :Cannot create property ‘app_metadata’ on string ‘’
If I disable rule 2, then I can signup/login but the rule 3 role is not assigned to the token that is sent to my web app (so I can’t provide role based experiences) - if i logout and log back in in this scenario then rule 3 is triggered and I can provide rule based experiences.
Any idea what’s going wrong?
Note, it does create the user when all 3 are enabled. If after an error, I disable rule 2, log in, then it works. Then if i log back out and re enable rule 2 and log back in, it works fine adding the appropriate data to app_metadata.
Is there an issue creating app_metadata on sign up but not log in?
Also, why would rule 1 and 3 not work together on sign up, but it does on re log in?
Further testing - on signup, rules don’t seem to be able to read user?
Further further testing - I believe rule 1 is not playing well with the other rules. Does it not resolve properly within a rule? Does the management function perhaps take not wait for resolving and thus the rule is not performing callback before ending the rule?
Does rule 3 not work on signup because it has already sent a token? How would this be resolved?
I think we should break this down a bit, seems like there are quite a few things going on here. The 1st and 3rd rule are both about roles, let’s address those first.
Can you post the code to rules 1 and 3? Is it exactly like the ones you posted or have you modified it? Then we can go through and see what you are working with.
Also, do you have a console log in each rule so you know whether or not it is running? Have you tried using the debug console yet?
I think the first and third rule are related, and we could probably combine them to get around some of these issues. Post the code and we will see what we can do.
The code is all exactly as in the examples given (except role_id etc):
I have resolved this currently by turning Rule 1 async as below:
async function (user, context, callback) {
const ManagementClient = require('auth0@2.27.0').ManagementClient;
const management = new ManagementClient({
token: auth0.accessToken,
domain: auth0.domain
});
const count = context.stats && context.stats.loginsCount ? context.stats.loginsCount : 0;
if (count > 1) {
return callback(null, user, context);
}
const params = { id : user.user_id};
const data = { "roles" : ["my_role_id"]};
var man = await management.users.assignRoles(params, data);
callback(null, user, context);
}
Thus I do believe that the issue was with the resolve or callback for some reason.
Regarding why the role is not passed to the access token, I believe that the access token is granted pre Rules and thus adding any roles won’t be added to the token until they log out and back in. Thus this is an issue solely with first sign up - as mentioned above, and linked to the other article, I believe I need to refresh the token somehow in php either client side, or it would be good to do so within a rule if possible.
You are on the right track. This issue is because the context object in rules (which contains context.authorization.roles) is created before the rule is added.
You can manually add the role to the token in that rule, because you know what the role is and you know this only runs on the first login.
Just add the rule to the token manually in the first login.
I see ok thanks, so it is not the token that is created pre rules, it is the context that is created pre rules, the token is created after rules. So instead of calling context to set the token, I set it manually on first sign up.