User groups, roles, and permissions are stale after updating on


New to the Auth) world but not the realm of SSO. Using the free tier to develop a POC on Drupal 8.

Have created a Rule so that some additional user information can be passed with the identityToken. Specifically, the user’s groups, roles, and permissions are what I am looking to pass back from the Auth0 SaaS server. The user info for the first request matches. If I later go back and add/remove user attributes on, the subsequent requests remain the same and do not reflect the updates. It appears that there is some caching occurring inside Auth0 as console.log messages show the source of the information is stale.

Please advise.


Hi @kwiechma,

Could you post the code for the rule? How are you storing the group/roles/permissions?


Hi @dan.woda,

Thanks for the response. Here is the rule code that was requested and some additional information which may be useful:

Perms rule code:
function (user, context, callback) {
console.log(’==> perms rule’);
const namespace = ‘’;
context.idToken[namespace + ‘permissions’] = user.permissions;
context.idToken[namespace + ‘groups’] = user.groups;
context.idToken[namespace + ‘roles’] = user.roles;
console.log(‘user.permissions ->’);
console.log(‘user.groups ->’);
console.log(‘user.roles ->’);
console.log(’<== perms rule’);
callback(null, user, context);

Logs output:

8:49:36 AM: ==> perms rule
user.permissions ->
user.groups -> [ ‘ admin’, ‘ power user’ ]
user.roles ->
<== perms rule

In, the test user is assigned one additional role that I believe should but does not appear in the logs. In the “not understood yet” category, the user roles are appearing as a group rather than a role.


Are you managing and changing the user roles/groups/permissions in the authorization extension? And are you making sure to configure rules/groups/permissions toggled on and publish after the changes? Also are you choosing to persist the data in the users app_metadata (this is not required, just a choice)?

Hi @dan.woda

Thank you for your prompt and useful response. The disconnect was that there are two similar areas: users/roles for the main dashboard and users/groups/roles/permissions for the extension. Being new to the Auth0 way, I being confused when seeing the differences but not really registering at the time.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.