 Are you trying to figure out how to assign default roles to your users when they sign up to your application? Or maybe you were already doing this without zero rules, but you're trying to migrate to Actions? Keep watching because I got you. Hello everyone, I'm Karla and I'm a senior developer advocate here at Auth0 by Octa. So when you're building an application, one of the first steps when you're adding access control is to use roles and permissions. Normally, in any organization, a role defines what users can or can't do, and they're often used to reflect the organizational structures, the departments, and so on. A permission, on the other hand, is a declaration of an action that can be executed on a resource. In Auth0, a role is a collection of permissions that you can apply to your users and that can facilitate how you manage permissions, how you add, remove them, because you handle them as a group instead of individually. So now let's go ahead and create a new role so we can later on assign it as a default one when your users sign up. And for that, we're going to use an Auth0 action. All right, so now we're here in the Auth0 dashboard and you probably have an API created in your Auth0 account. Nevertheless, I'm going to leave you the link if you want to get your new account. I set up this default role action test tenant that I'm going to be using. And I have an API created right here that I called default role test API. So the first thing we need to do in order to assign a default role is to have the role. So we're going to go to the user management section and then roles. And you're going to see that we don't have any roles created yet. So we're going to create a new one, which I'm going to call default role. I've created many for testing purposes. And we're going to say that this is a default role for users when they sign up to my app. Nice. So we're going to click on create. And that is going to take us to the details of the role. You see here we have a role ID. And remember this for later because we are going to need that information. So now that we have a role created, we need to be able to send that to our application. And one way to do that is by using the management API. You need to make sure that you have that enabled in your application. So I'm going to go to mine. This is the default test application that is created when I created my API. So if I click on that, and then I go to the API section, I'm going to see that I have authorized two APIs, the one that, you know, was created for this application in particular. And I also enabled already the ulterior management API. Another thing you need to make sure is that you have the permissions that you need for your specific actions. In my case, I have them all because why not? No, I'm just kidding. You shouldn't have them all. You should only have the ones that you need. But I'm testing this. So I'm basically allowed. So adding roles on sign up is actually not a built in functionality that zero gives you, because we want to give as much flexibility as possible. You are able to do this using on zero actions. And if you don't know what an action is, an action is basically a JavaScript function that allows you to customize the standard behavior of your authentication flow or your authentication experience in general. We do have a section on the sidebar dedicated for action. So we have flows and library. So we're going to go ahead and go to the flows. And here you can see some documentation and information about the flows and triggers. Now, the premise of this video is that we're going to add a default role on sign up. If we get to the flows and trigger, and this happened to me when I was doing the research for this video, you can see here when each flow runs what triggers it, if the execution is synchronous or asynchronous, and what are some example use cases that you might have. If we go to the POST user registration and we read when this runs, it says that this runs after a user is added to a database or password less connection. And now this statement tells us something. And that is that it's very specific for these two type of connections. So any action that you use in this flow runs asynchronously, meaning that it's not going to block the execution. And the outside pipeline will continue to run without waiting for this particular action to finish. But then what happens if your users sign up to your application using, for example, a social connection. According to the documentation, this flow won't be triggered because this is only triggered when you add a user to a database or password less connection. And because we want to cover all the use cases, instead of using the POST user registration flow, we could use the login flow. If you see this flow runs every time a user logs in and it runs synchronously. And something important here is that in Auth0, every time a user signs up, it is automatically logged into the application. So that sign up experience actually counts as well as the user's first login. So because of that, we are able to use the login flow for this particular use case as well. I highly recommend that if you want to learn more about the flows and triggers, you actually read this documentation. It's very, very, very extensive. Even if you click on any flow, then you get more details, a diagram, you know, the details of each object in the action. So I'm going to leave that also in the description below. Now, going back to our management dashboard, we're going to go to actions and the library. And here we're going to create the action to add the default role to users on sign up. This is not an installed action. So we're going to create a custom one. And we're going to click on build custom. We're going to name this at the default role. The trigger, we're going to leave it to login POST login here, because that is the one that we're interested in. And the node version, we're going to leave it at 18 because it's the recommended one. We're going to create that action and then we're going to be automatically taken to the actions editor. And here you'll see you have two methods. One of them is commented because there's no mandatory to use it. And we don't need it at this point. So we're going to be focusing on the on execute POST login function. So we know we want to use a management API. We know we want to assign a role. And we want this to happen on either the first time the users login or if the user doesn't have any role assigned, which for our use case might be sufficient. So we're going to check the event here. And for that, you can click on the test tab. And here you will see the event that accompanies this action in particular or this trigger in particular. So we'll see a bunch of stuff. And if we go to the, so we have authentication here, but we also have authorization. And inside the authorization object, we have roles, which is exactly what we need to check. Now let me quickly check docs to the event object. And if I go to the event authorization, you see this is optional. So if we want to use anything in this, particularly the roles, we have to make a very long statement. But basically what I want to do with these conditions is I want to check if the user has already a role created. That's all I want to do because in my specific use case, if the user doesn't have a role created, it means they are new to my database and they haven't logged in yet. Now this condition might be different for you specific case. You could also maybe count the number of times the user logs in or something like that. But for my use case, I'm going to use this event. So this is optional. So we're going to go over here and we're only going to execute this action if that exists. So if event dot authorization is there and event event authorization roles is there then none of them. And I also want to make sure that the event that the roles authorization roles length is zero. I think you have to use three equals here. I will double check on that in a second. But this is a very long condition. So basically if there's an event authorization and it has roles and actually let's do it like this because I think I like it better. Yeah, with the and after. So if there's an event authorization and there are roles and there are no roles meaning that the size of an array is zero, then we're going to do some stuff. If none of these happens, meaning the user already has a role, I really don't want this action to do anything at all. So anything outside this if statement, you know, we don't care about it. Or better said, we're going to leave it empty. So the next thing we need to do is to interact with the management API. And for that, we are going to be using the odd zero node, odd zero package that we have right here. So let's check the docs. So with the node or odd zero package, you can interact with both the authentication API and with the management API. We don't really care about the authentication API at the moment, but we do care about the management API. So in order to do this, we need to npm install odd zero and then we configure the SDK. So we basically need, we need a management client and these variables. Cool. Okay. So first thing first, we need to do npm install odd zero. So normally, that's what you would do in your terminal in actions, we can close this in actions, we can just add a new dependency right here. So the name of the dependency we know is odd zero. And we're going to use the latest version. So this is like, this will be the equivalent of installing that dependency. So we have that ready. The next thing we need to do is to where am I here? We need to initialize the management client. So I'm going to go ahead and copy this and put that right here. Okay, so. So I think we're going to have a constant here instead. And yeah, we can call it management. And this creates a new management client. And this is complaining that I cannot find the name management clients. So I think first we need to whoops, we're going to initialize that first. So we're going to require odd zero, odd zero. And let's see, and we can initialize a management client here. So once we have that, we create our constant and we need the domain client ID and client secret. This is a good opportunity for us to use the secrets from the editor. So we can go ahead and pretend that we already have the secret or add it first. I think I'm going to add them first. So I actually have have the autocomplete feature. So we need the domain client ID client secret. So I'm going to go ahead and open my application in a different tab because I don't want this to close. And it would be this one. So I have all my information here. This is my domain, my client ID and my client secret. So I'm going to copy this into my secrets. So I click on secrets, add secret, I'm going to call this domain and put this value there. Then we need the client ID. Going to add this secret client ID create in last but not least, we have the client secret client secret and this value we're going to click on create. So right now we have our secrets there. So now the editor is actually able to autocomplete when I'm writing, which makes my life easier. So we're going to write here, the secrets are available in the event object. So I can do event.secrets.domain and here we can do event.secrets.client ID and finally the client secret, the client secret. Cool. So this is our instance for a management client. That's cool. And now another thing we need to do is check how to do what we want to do. So we want to assign a role to a user. So I'm going to go over here and go to the API reference. Okay. And this is my management client and I can use the search here. So I'm going to say assign. This looks like we want like we want to do any of this, but I'm going to go with management users manager assign roles. And this is quite promising. This says it associates a role, associate roles with a user or assign roles to a user. So this function looks pretty much like we want to do. And it receives three things, two of them are mandatory one is optional. So the first one is request parameters. And if we check on that, that is basically the idea of the user that you want to associate the role with the school. And the second one, it's called body parameters should be it's an array of roles. So you have the users you want to assign the role to in the list of roles that you want that user to have. That looks good. So let's go back to our action. And what we need here is I'm going to have params. And I'm going to say, remember, this was an object with the user's ID. So the user's ID is available in the event dot user dot user ID. There we go. And we also need an array of roles. So that's going to be the data. And we're going to send that here. So we have roles. And we need to pass. Uh huh. So we need the list of roles IDs to associate with the user. So if you remember when we created that role earlier, I told you remember this ID because we're going to use it later. So let's go ahead and get that. So if we go to I'm in a different tab now. So if we go to user management roles, and they go to my default role here, I have the role ID. So I'm going to copy that. And I'm going to use it right here. I think you could use this as a secret as well if you wanted to. But because I'm testing, I'm going to leave it like that for now. And we can decide later if we want to put it as a secret. Cool. So we got the role ID. We have the parameters and we already know what's what's the name of the function we want to use. It's assigned roles and it lives in these, you know, users management. So let's use autocomplete for this. So we're going to use our management client dot users dot as a way. Actually, we should put that in a try catch. Just just in case. So let's let's put a try catch here. I'm going to try to do something. And if you know catch the error if there is any, and I always like to you know, show the error if any. Cool. And then inside the try. This is sexual. This is actually a premise. So we're going to do our weight. And then management dot users dot assign roles. And we're going to pass the programs in the data, which looks okay. I think let's double check assign roles and then you have your parameters. Okay, we're going to try this out and see how that goes. Okay, so how can we test this action? We're going to go to the test tab. And because I need a user ID, I'm going to go ahead and get a user ID from one of the users that I have already created. This is just for testing purposes. In a real world scenario, this user ID is going to be the ID of the user that is signing up for the first time. But obviously, I don't have that information because, you know, I'm testing. So I can just use and any user ID. Okay, so I'm going to go ahead and test this with a user ID that I already have. We're gonna, we need to find the user object, connection, organization, organization. I don't even know how you say that. Aha, user. So let's find the user ID, user ID, user ID. Here it is. And we're going to use this one, which was a little bit moved. Cool. I'm going to use this user ID. And if we check for this condition, if we go to the event authorization object right here, the roles are empty. So this condition should pass like the execution should work. We have our data here and we're assigning this role. Okay, so if you want to be super sure about this user, this is a user I created not long ago. And right now it doesn't have any roles assigned. So let's go ahead and test this by clicking run right here. I have my other screen here so I can see. Okay, so let's click on run and see what this does. It was updated. Okay, so I got nothing. And because I was using a user ID that I already created, this should be somehow updated. So let's take a look. Okay, now this user has a default role assigned to them. That's pretty cool. The next thing we should do is deploy our action because right now this is all running in my tenant. There's nothing out there and live to the public. So we are going to click on deploy. And now we have our default role was successfully deployed and it says add to flow. I missed it, but let's go and add it to a flow because even though this action is already deployed, we haven't really put it in any flow. So right now it's never going to be triggered. So we're going to go to flows. And like we said, we're going to do it in the login flow. So we're going to click here and you'll see you have a start and a complete. And we're going to go to custom and add default role. And what you're going to do here is you're going to drag your action into the middle here between the start and complete. And we're going to apply that. Cool. Now, I want to test this with the universal login box. But for that, I'm going to go ahead and delete the role. And so if this works, which it should, we should have a role signed here. So let's try it here directly from our database connection. We can test it. We can try this connection. So the email address of this user, I don't actually remember. So let me go back to the user's management user role at test.com. So user role at test.com. And I think this is the password. Let's see. So what should happen is what should happen here is let's come back before I click on login that right now this user has no roles. After I click login, I should have a role. Okay, this worked. And we're going to go here and update this page by switching tabs. Cool. Now I have a role assigned. Now you're probably wondering a few things. I said this works at sign up and I've been using the login and stuff. That's because we're using the login flow for once. And also because of the condition we're using. If you look at our action, the condition we have is that if the user doesn't have any role assigned. And that's this condition right here. If you, for example, use the number of logging, the number of times the user has logged in, you might have a different outcome here. But if that's what suits your use case, go ahead and use it. So just like that, we added a default role to your users when they sign up. So a quick recap for this video. In this video, we created a new role and then used that role as our default one to add it to our users when they sign up. If you have any questions or comments or concerns, let us know in the comments below. Thank you for watching.