Default Role Not Assigned When Creating User from Console (PostCreation Trigger in Internal Auth )
Use-case:
I’m working on setting up automated role assignment for users in my application using ZITADEL. I'm using both Zoho OIDC for external login and direct user creation via the ZITADEL console (invite flow). My goal is to assign the default 'user' role automatically right after a user is created—regardless of the method.
Environment:
ZITADEL Self Hosted
Version:
v 3+
Stack:
- Identity Provider: Zoho (OIDC)
- ZITADEL Console (for direct user creation)
- No backend automation currently—only using Flows via the UI
- Role-based access using Project Roles in ZITADEL
What I expected to happen:
Whether the user signs up via external login (OIDC) or is manually created via the console (with invite), the assigned Flow should trigger a role assignment using the same addGrant function script.
What went wrong:
When using External Authentication (Zoho OIDC), the PostCreation trigger runs correctly and the user gets the 'user' role, which shows up in the "Authorization" tab as expected.
However, when I create a user manually from the ZITADEL console and send them an invite (Internal Authentication), even though I assigned the same script to the PostCreation trigger in the Internal Authentication Flow, the role is not being assigned.
This is the script I’m using:
function addGrant(ctx, api) {
api.userGrants.push({
projectID: '<Project ID>',
roles: [<role>]
});
}
I expected this to work similarly for console-created users as it does for external users. I'm not sure if I'm missing something about how flows are triggered internally or if additional configuration is needed.
I’m relatively new to ZITADEL and figuring things out as I go, so I might be missing something basic. I’d really appreciate guidance on:
Whether PostCreation for internal authentication works the same as external
Any limitations of user invite flow regarding flow triggers
Any configuration or permission step I might have missed
5 Replies
Hi @Sk-7060131690, thanks for reaching out! Indeed, the code looks correct and it should work for both internal and external authentication in the Post Creation trigger. Can you please clarify the following?
- Can you please confirm your Zitadel version? The latest stable version is v3.3.1. - Zitadel v1 has been deprecated for a while now.
- Could you please check if you have enabled the
Use V2 Api in Console for User creation feature flag (Default Settings > Features)? To understand if users are being created using the new API v2, or old API v1 from console.
Thanks!@Matías
1) I am using v.3+ which is self hosted .
2) I checked with root user, previously it was disabled so now we have enabled v2 for user creation.
Got it. I will test this in the same conditions to see if I can replicate, and get back to you with my findings and next steps.
Hey @Matías , Just wanted to check if you’ve had a chance to try things out on your end. Appreciate your help!
Hi @Sk-7060131690, I apologize for the very late reply, I lost track of this thread and only now found it while clearing my queue. I tested the above, and I observed the same behavior. Even though the documentation states that this code should work for both internal and external authentication, the role is not being added for the internal authentication flow (post creation trigger).
I would recommend switching to Actions v2, follow the examples linked here to set up an Event or Response Action, and make a call from your backend to add the user grant.
You could also create a github issue for Actions v1, but given that we are moving away from this model in favor of Actions v2, I don't think this will be taken up with priority.
I hope that helps, please let me know if you have any follow-up questions.
ZITADEL Docs
In this guide, you will have all necessary information to migrate from Actions v1 to Actions v2 with all currently available Flow Types.