Default Role Not Assigned When Creating User from Console (PostCreation Trigger in Internal Auth )
Use-case:
I’m working on setting up automated role assignment for users in my application using ZITADEL. I'm using both Zoho OIDC for external login and direct user creation via the ZITADEL console (invite flow). My goal is to assign the default 'user' role automatically right after a user is created—regardless of the method.
Environment:
ZITADEL Self Hosted
Version:
v 3+
Stack:
- Identity Provider: Zoho (OIDC)
- ZITADEL Console (for direct user creation)
- No backend automation currently—only using Flows via the UI
- Role-based access using Project Roles in ZITADEL
What I expected to happen:
Whether the user signs up via external login (OIDC) or is manually created via the console (with invite), the assigned Flow should trigger a role assignment using the same addGrant function script.
What went wrong:
When using External Authentication (Zoho OIDC), the PostCreation trigger runs correctly and the user gets the 'user' role, which shows up in the "Authorization" tab as expected.
However, when I create a user manually from the ZITADEL console and send them an invite (Internal Authentication), even though I assigned the same script to the PostCreation trigger in the Internal Authentication Flow, the role is not being assigned.
This is the script I’m using:
function addGrant(ctx, api) {
api.userGrants.push({
projectID: '<Project ID>',
roles: [<role>]
});
}
I expected this to work similarly for console-created users as it does for external users. I'm not sure if I'm missing something about how flows are triggered internally or if additional configuration is needed.
I’m relatively new to ZITADEL and figuring things out as I go, so I might be missing something basic. I’d really appreciate guidance on:
Whether PostCreation for internal authentication works the same as external
Any limitations of user invite flow regarding flow triggers
Any configuration or permission step I might have missed
I’m working on setting up automated role assignment for users in my application using ZITADEL. I'm using both Zoho OIDC for external login and direct user creation via the ZITADEL console (invite flow). My goal is to assign the default 'user' role automatically right after a user is created—regardless of the method.
Environment:
ZITADEL Self Hosted
Version:
v 3+
Stack:
- Identity Provider: Zoho (OIDC)
- ZITADEL Console (for direct user creation)
- No backend automation currently—only using Flows via the UI
- Role-based access using Project Roles in ZITADEL
What I expected to happen:
Whether the user signs up via external login (OIDC) or is manually created via the console (with invite), the assigned Flow should trigger a role assignment using the same addGrant function script.
What went wrong:
When using External Authentication (Zoho OIDC), the PostCreation trigger runs correctly and the user gets the 'user' role, which shows up in the "Authorization" tab as expected.
However, when I create a user manually from the ZITADEL console and send them an invite (Internal Authentication), even though I assigned the same script to the PostCreation trigger in the Internal Authentication Flow, the role is not being assigned.
This is the script I’m using:
function addGrant(ctx, api) {
api.userGrants.push({
projectID: '<Project ID>',
roles: [<role>]
});
}
I expected this to work similarly for console-created users as it does for external users. I'm not sure if I'm missing something about how flows are triggered internally or if additional configuration is needed.
I’m relatively new to ZITADEL and figuring things out as I go, so I might be missing something basic. I’d really appreciate guidance on:
Whether PostCreation for internal authentication works the same as external
Any limitations of user invite flow regarding flow triggers
Any configuration or permission step I might have missed
