Updating Auth0 User appmetadata after initial login

Good evening! I been trying to find an authentication solution in order to allow our WordPress users to authenticate into our new Flutter mobile app that we are trying to stand up. I’m leaning towards Auth0 vs Firebase put seem to be stuck at a vital point.

Currently I have installed the Login by Auth0 Version 4.6.0.
I realize that there is a new version 5 available but not yet in WordPress marketplace and unfortunately the composer right is above my head.

I have set up database connection of username/password authentication and I have the Import Users to Auth0 toggle set to true.

I have “Use My Own Database” toggled to true and I have setup the Login and Get User scripts.

I have tried them, and they are working as expecting meaning I can get real time information for get user and login when testing.

The issue I’m encountering is when a user logs into the Univeral Login page for the first time, they get created as a user in Auth0 and the app_metadata is properly recorded. For instance, a user logs in and they may have the subscriber role in WordPress.

I have test changing a user’s role in WordPress to be a different role like contributor. My database actions scripts properly reflect the update role, but the user’s profile in Auth0 still shows the original subscriber role in the app metadata.

I kept on reading and came across the actions library and attempted to correct this with using custom claims and the event/API calls for the post login flow but I still only retrieve the Auth0 data and seemingly not the update WordPress data.

Lastly, if I delete the user from Auth0 and they log in again, then of course the new role populates but this seems inefficient to track users in this manner after a role update (update the user in WordPress and then delete their existing Auth0 user profile).

For reference:

Login Script:

/* globals require, configuration */
/*configuration.endpointUrl + 'migration-ws-get-user',*/

function login(email, password, callback) {
  var request = require('request');

  request.post(
    configuration.endpointUrl + 'migration-ws-get-user',
    {
      form: {
        username: email,
        password: password,
        access_token: configuration.migrationToken
      }
    },
    function(error, response, body) {
      // Error encountered during HTTP request, exit.
      if (error) {
        return callback(error);
      }

      try {
        var wpUser = JSON.parse(body);

        // Error returned from WordPress or no data, exit.
        if (wpUser.error || !wpUser.data) {
          return callback(null);
        }

        // Ensure role is retrieved from the roles object
        var userRole = wpUser.roles ? Object.values(wpUser.roles)[0] : null;

        // Use WordPress profile data to populate Auth0 account.
        var profile = {
          user_id: configuration.userNamespace + '|' + wpUser.data.ID,
          username: wpUser.data.user_login,
          email: wpUser.data.user_email,
          name: wpUser.data.display_name,
          email_verified: true,
          app_metadata: {
            role: userRole // Add the user role to the app_metadata
          },
          // Add roles to custom claims
          roles: userRole
        };

        callback(null, profile);
      } catch (parseError) {
        return callback(parseError);
      }
    }
  );
}

Get User:

/* globals require, configuration */

function getByEmail(email, callback) {
  var request = require('request');

  request.post(
    configuration.endpointUrl + 'migration-ws-get-user',
    {
      form: {
        username: email,
        access_token: configuration.migrationToken
      }
    },
    function(error, response, body) {
      // Error encountered during HTTP request, exit.
      if (error) {
        return callback(error);
      }

      try {
        var wpUser = JSON.parse(body);

        // Error returned from WordPress or no data, exit.
        if (wpUser.error || !wpUser.data) {
          return callback(null);
        }

        // Ensure role is retrieved from the roles object
        var userRole = wpUser.roles ? Object.values(wpUser.roles)[0] : null;

        // Use WordPress profile data to populate Auth0 account.
        var profile = {
          user_id: configuration.userNamespace + '|' + wpUser.data.ID,
          username: wpUser.data.user_login,
          email: wpUser.data.user_email,
          name: wpUser.data.display_name,
          email_verified: true,
          app_metadata: {
            role: userRole // Add the user role to the app_metadata
          },
          // Add roles to custom claims
          roles: userRole
        };

        callback(null, profile);
      } catch (parseError) {
        return callback(parseError);
      }
    }
  );
}

Custom Action to set in the Login flow:

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
  const namespace = [Redacted];
  const userRole = event.user.app_metadata && event.user.app_metadata.role ? event.user.app_metadata.role : '';

  if (userRole) {
    console.log(`Setting custom claim for user role: ${userRole}`);
    api.user.setAppMetadata('role', userRole);
    api.idToken.setCustomClaim(`${namespace}wp_roles`, userRole);
  } else {
    console.log('No user role found in app_metadata.');
  }
};

My end goal is to update the user role in WordPress, have the user login via ULP, and then see the updated role in the user profile. That way I know I can rely on Auth0 customclaim in my flutter app to retrieve the correct updated role for role based actions.