I’ve created a Post-Registration Action to assign a default role to the user. This works as expected.
I’ve created a Post-Login Action to return this role in a custom claim. This works as expected when a user logs in.
However, the Post-Login Action does not work when registering. The event.authorization.roles object is empty, and so no roles are included in the custom claim.
I think this post is referring to the same issue but I can’t see a fix mentioned: Why Post Login action is not called after Post Registration action?.
This post is also probably eluding to the same issue: Why Post Login action is not called after Post Registration action?.
I contemplated combining the code like this post (Post-login Action Not Assigning a Default Role on Login) but I setting the claims would probably require an extra API call, which I’d like to avoid. I could hardcode the role name but I would also like to avoid that.
You should be able to use the solution provided in that FAQ you shared and append the roles as custom claims without incurring another API call. Unfortunately, this will require you to hardcode these Roles either directly in the Action script or as Secrets.
Please let me know if you have any additional questions.
Is there another way? Why is the Authorization.Roles array empty after registration has assigned a role? Is this expected?
Hardcoding the values adds an extra layer of work when I add future roles.
Just to note - I do not consider Rueben’s answer to be the “solution”. Hardcoding values does not constitute an ideal solution, more a workaround.
Thanks for your responses.
Yes, the other way is to use a Post-Login action to assign the user a role on the first login and append it as a custom claim.
Let me also clarify that the Post-Registration Action is asynchronous, while the Post-Login Action is synchronous. This means that the timing of when these actions complete are not synced in order. Therefore, you are experiencing a scenario where the Post-Login action is unaware of the updates performed on the user during the Post-User registration flow.
A workaround to hardcoding these values is to append them to the user_metadata. This way you can still call
event.user.user_metadata to retrieve the roles you need and proceed accordingly.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.