Multiple Rules not Triggering and Hubspot Integration not working

I am combining 3 rules:

1:Assign a default role to a new user on first login (How do I add a default role to a new user on first login?)

2: Add New Contact to Hubspot for Marketing (as template given in Rules)

3: Set assigned roles to token: (https://auth0.com/docs/authorization/sample-use-cases-rules-with-authorization?_ga=2.118904521.1190576816.1603089673-593279948.1601885769#add-user-roles-to-tokens)

If I apply all 3 rules - then on signup I get:

Access Denied and Error Description :Cannot create property ‘app_metadata’ on string ‘’

If I disable rule 2, then I can signup/login but the rule 3 role is not assigned to the token that is sent to my web app (so I can’t provide role based experiences) - if i logout and log back in in this scenario then rule 3 is triggered and I can provide rule based experiences.

Any idea what’s going wrong?

Note, it does create the user when all 3 are enabled. If after an error, I disable rule 2, log in, then it works. Then if i log back out and re enable rule 2 and log back in, it works fine adding the appropriate data to app_metadata.

Is there an issue creating app_metadata on sign up but not log in?
Also, why would rule 1 and 3 not work together on sign up, but it does on re log in?

Further testing - on signup, rules don’t seem to be able to read user?

Further further testing - I believe rule 1 is not playing well with the other rules. Does it not resolve properly within a rule? Does the management function perhaps take not wait for resolving and thus the rule is not performing callback before ending the rule?

Does rule 3 not work on signup because it has already sent a token? How would this be resolved?

1 Like

Regarding the Rules only working on reauthentication - there seems to be a solution here:

How would implement this within a rule?

1 Like

I use a regular web app in PHP sdk. Maybe there is a way to force to get a new auth token after login()? Below is my login.php code

$auth0 = new Auth0([
  'domain' => '',
  'client_id' => '',
  'client_secret' => '',
  'redirect_uri' => '',
  'scope' => 'openid profile email',
]);

$auth0->login();
1 Like

Hi @jason10,

I think we should break this down a bit, seems like there are quite a few things going on here. The 1st and 3rd rule are both about roles, let’s address those first.

Can you post the code to rules 1 and 3? Is it exactly like the ones you posted or have you modified it? Then we can go through and see what you are working with.

Also, do you have a console log in each rule so you know whether or not it is running? Have you tried using the debug console yet?

I think the first and third rule are related, and we could probably combine them to get around some of these issues. Post the code and we will see what we can do.

The code is all exactly as in the examples given (except role_id etc):

I have resolved this currently by turning Rule 1 async as below:

async function (user, context, callback) {
  	const ManagementClient = require('auth0@2.27.0').ManagementClient;

    const management = new ManagementClient({
      token: auth0.accessToken,
      domain: auth0.domain
    });
  
    const count = context.stats && context.stats.loginsCount ? context.stats.loginsCount : 0;
    if (count > 1) {
        return callback(null, user, context);
    }

    const params =  { id : user.user_id};
    const data = { "roles" : ["my_role_id"]};

    var man = await management.users.assignRoles(params, data);
    callback(null, user, context);
}

Thus I do believe that the issue was with the resolve or callback for some reason.

Regarding why the role is not passed to the access token, I believe that the access token is granted pre Rules and thus adding any roles won’t be added to the token until they log out and back in. Thus this is an issue solely with first sign up - as mentioned above, and linked to the other article, I believe I need to refresh the token somehow in php either client side, or it would be good to do so within a rule if possible.

Let me know what you think

You are on the right track. This issue is because the context object in rules (which contains context.authorization.roles) is created before the rule is added.

You can manually add the role to the token in that rule, because you know what the role is and you know this only runs on the first login.

Just add the rule to the token manually in the first login.

Thanks for the reply, how would I add the role to the token manually? I assumed I would have done this in rule 3 in the OP.

Are you adding permissions associated to the role or just need the role in the token? If it’s the latter then you can easily add it to every token.

the latter for now, I will determine role based ux on the front end

Then you can add the role to every user in the rule you have that adds roles to the token.

I see ok thanks, so it is not the token that is created pre rules, it is the context that is created pre rules, the token is created after rules. So instead of calling context to set the token, I set it manually on first sign up.

Thanks!

I think you’ve got it. Let me know if you aren’t able to get it working and I’ll take another look.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.