Setup a rule to assigns permissions to a user using management API (first time login only). If you then have a second rule that uses the management API to get those permissions you’ll find that the permissions returned are empty.
Subsequent logins work just fine acquiring those permissions.
When it comes to the order is rule 2 below rule 1 (I know it should be obvious but wanted to ask) so that once rule 1 is executed the data that needs to be present can be fetched by rule 2?
So for instance a scenario we have is for Migrated Users we store the permissions and roles in the user metadata (obtained from GetUser script). During login we check if any perms or roles are in the metadata, and if so, use the management API to add them. We then clear the meta data. A subsequent rule then adds the roles and permissions into the IdToken/AccessToken.