Setting a user role in an action will not update the permissions in the access token

I am migrating roles to actions and I found one issue when it comes to updating users roles in an Login / Post login action.

I make use the permissions array of the access token in my application, so I activated RBAC and the option to add permissions in the access token.

In the Login / Post login action, I assign a role to the user if the user has no assigned roles yet. I use the Auth0 Management API to do this (ManagementClient - Documentation).
After the action has successfully run and the user logged in, the permissions array is empty in the access token. If this user does a relog, everything works as expected.

With rules, the permissions were also correctly filled after the first login.

Can you help me with this issue?

Hi @kl.auth

Welcome to Auth0 Community !!!

Don’t use Management API call for this. You can add a custom roles claim in a post-login action like this:

 * @param {Event} event - Details about the user and the context in which they are logging in.
 * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
exports.onExecutePostLogin = async (event, api) => {
  const namespace = '';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);

Hope it helps


1 Like

Just to clarify: We need the permissions of the rule managed inside the Auth0 configuration in the access token. We do not need the rule as a custom claim in the access token. We only care about the permissions behind the roles.

Can anyone help with this topic? Jeffs proposal does not help, since we do not care about the roles which are assigned to the user. We only care about the permissions behind the roles assigned to the user.

With rules, everything worked fine. Isn’t this a bug inside the actions implementation?

1 Like