I’ve also hit this limitation and had to work around it. I ended up doing as @hendrik described - I have “complete user registration” login action which checks a flag in the user’s app_metadata and if the flag is missing, runs some code (in my case to assign roles and set user metadata based on a custom invitation it retrieves from an API in our systems), then sets the flag in app_metadata to prevent the same code running a second time. This works, but it feels hacky, and is vulnerable to somebody inadvertently messing with the flag I’ve set in app_metadata (I also check for logins_count > 1, but I found the action runs more than once with logins_count == 1 as I refresh my SPA app page after first login, so testing logins_count > 1 on it’s own is not a safe way of preventing the code running multiple times).
3 Likes