I have a similar problem to the issue I’ve linked here. I have a postLogin action that sets some custom claims for a user, in order for us to read their roles from Auth0 in our app using useUser() from nextjs-auth0.
However, the roles only appear on the user returned from useUser() after the user has logged out and logged back in after signup. It does not work when a new user registers an account without them logging out. I don’t want our users to create an account, then have to get logged out and log back in immediately so that they can access certain pages. I’m sure there’s already some way to handle this, please advise
I am trying to achieve something similar. I am setting/updating the user metadata using the Management API, but it doesn’t reflect on the Frontend in the useUser hook, unless you logout and login again.
I think there’s a solution to fetch the updated metadata in React by using ignoreCache in getAccessTokenSilently. Is there a similar solution for NextJS?
This solution requires to call the Management API to fetch the updated user metadata state, but no option for getting the updated data in useUser.
I’ve seen the cacheMode: 'off' thing and this silent login approach, but what is the official way for the useUser() hook to update once a PATCH is made via the management API? If the cacheMode is the official strategy, that’s fine; I’ll just have to figure out how it works for my app. Changing the app_metadata via management API PATCH and expecting useUser() to pick up the changes automatically seems like a common use case, so I wanted to make sure I knew exactly what the official course of action was.
Thank you for posting your question on the Auth0 Community and I am sorry about the late reply to your inquiry!
I believe the issue resolves in the fact that the newly set user metadata/roles/custom claims is only reflected in a newly provided access/id token and because user does not re-authenticate in order for their token to contain this information, the application is not able to read them.
I would recommend to force re-authentication or request a new access token for the users since the old ones do not contain any information in the specified metadata field in order to have the application/token reflect the same thing. The best place to do this is within a Post Login Action or within the application where the user is forced to re-authenticate if the specific claim is not present.
Hope the information above is helpful regarding the matter. If you have any other questions, feel free to leave a reply or post again on the community!
