I have a Rule that assigns a default role to a user on their initial login. For some users, additional roles were granted after the initial login. The application/api is configured so permissions for assigned roles are automatically added to the access token. It looks like only permissions for the initial role are in the access token. If I look in the Rule the context.authorization.roles array contains only the initial role. If I look in an Action, the event.authrization.roles array contains only the initial role.
The initial role configuration seems to stick even if I delete all roles.
How do I get the access token generator to recognize the set of roles currently granted to the user?
It looks like you’re encountering an error outlined here. Essentially, when you use the Management API from an Action to modify the current user, it updates the user’s profile but not the event object. This means any changes to the profile won’t be visible until the user logs in again.
One workaround for this scenario is to get the permissions at the same time you assign the user to the role. To do this, use the managementClient.users.getPermissions() method.
This could be part of the problem. What I’m seeing is the initial role is setup. I don’t know what that token looked like. After that, I can change roles and issue new tokens but the context.authorization.roles field does not change and the permissions in the access token do not change.
I would assume that when you assign the initial role on the user’s first login, the initial token issued would not contain details about the user’s role or permissions until their subsequent login.
If you make any changes to the roles, you will need to issue a new token.
As mentioned previously, a workaround is to set the Roles and Permissions directly to the access token at the same time as a custom claim just to get around this issue.