Problem statement
We noticed a strange difference in behavior when assigning a role in a post-login Action. When this Action executes during an Auth Code Flow + PKCE, the role is assigned and the permissions are correctly added to the issued token.
When we attempt the ROPG flow, the role is assigned but the permissions array is empty. Once the user authenticates a second time, the array is populated with the expected permissions.
Is this a known limitation when using the ROPG flow as opposed to the Auth Code flow with PKCE?
Cause
Essentially, the behavior being seen in the ROPG flow is to be expected since we do not intend to support adding/modifying roles or permissions for users in Rules/Actions, and then later in that same transaction have the tokens reflect that modification. The fact that this is working in a code flow is actually the undesired behavior from the Auth0 perspective and is not something truly supported and could very well be fixed to follow the same behavior seen with the ROPG flow.
Solution
For now the best workaround for this is to have your app make an immediate Silent Auth transaction in order to get the updated tokens with the expected values.