I’ve created a Post-Registration Action to assign a default role to the user. This works as expected.
I’ve created a Post-Login Action to return this role in a custom claim. This works as expected when a user logs in.
However, the Post-Login Action does not work when registering. The event.authorization.roles object is empty, and so no roles are included in the custom claim.
I contemplated combining the code like this post (Post-login Action Not Assigning a Default Role on Login) but I setting the claims would probably require an extra API call, which I’d like to avoid. I could hardcode the role name but I would also like to avoid that.
You should be able to use the solution provided in that FAQ you shared and append the roles as custom claims without incurring another API call. Unfortunately, this will require you to hardcode these Roles either directly in the Action script or as Secrets.
Please let me know if you have any additional questions.
Yes, the other way is to use a Post-Login action to assign the user a role on the first login and append it as a custom claim.
Let me also clarify that the Post-Registration Action is asynchronous, while the Post-Login Action is synchronous. This means that the timing of when these actions complete are not synced in order. Therefore, you are experiencing a scenario where the Post-Login action is unaware of the updates performed on the user during the Post-User registration flow.
A workaround to hardcoding these values is to append them to the user_metadata. This way you can still call event.user.user_metadata to retrieve the roles you need and proceed accordingly.