We have an action that pulls user permissions from an internal service and assigns them directly to the user. It is not working with Organization Invitations.
If the user already has an account and signs in, the permissions are present in the JWT- If the user signs up outside of the invitation, the permissions are present in the JWT
If the user accepts an Organization Invite, the permissions are NOT present in the JWT
- If they log out and back in, the permissions are then present
Here is a simplified version of our action code:
exports.onExecutePostLogin = async (event, api) => {
const management = await getManagementClient(event, api);
const permissionsToSync = await getPermsFromInternalService(event);
const currentAuth0Permissions = await getPermNamesFromAuth0(event, management);
const permsToRemove = currentAuth0Permissions.filter(perm => !permissionsToSync.has(perm));
const permsToAdd = permissionsToSync.filter(perm => !currentAuth0Permissions.has(perm));
if (permsToRemove.length > 0) {
await management.users.removePermissions({ id: event.user.user_id }, {
permissions: permsToRemove.map(perm => ({
"permission_name": perm,
"resource_server_identifier": event.secrets.audience,
}))
});
}
if (permsToAdd.length > 0) {
await management.users.assignPermissions({ id: event.user.user_id }, {
permissions: permsToAdd.map(perm => ({
"permission_name": perm,
"resource_server_identifier": event.secrets.audience,
}))
});
}
};
- We tried using a post-registration action, but that does not trigger on invitation acceptance
- To avoid complexity, we do not want to use roles for this. That will end up for 1 role per permission, which is overcomplicated and creates clutter.
- This means we cannot assign roles in the Organization Invite itself
Is there a way of refreshing the JWT in the action to make sure the new permissions are present?