diff --git a/.changeset/strange-seas-whisper.md b/.changeset/strange-seas-whisper.md
new file mode 100644
index 000000000..333dff482
--- /dev/null
+++ b/.changeset/strange-seas-whisper.md
@@ -0,0 +1,5 @@
+---
+'hasura-auth': patch
+---
+
+fix: don't crash when adding allowed roles upon sign-in with a provider
diff --git a/src/routes/oauth/utils.ts b/src/routes/oauth/utils.ts
index 7a10ff0e4..b3bd8e548 100644
--- a/src/routes/oauth/utils.ts
+++ b/src/routes/oauth/utils.ts
@@ -59,6 +59,17 @@ export const transformOauthProfile = async (
 
   const emailVerified = !!normalised.emailVerified;
 
+  let allowedRoles: string[] = ENV.AUTH_USER_DEFAULT_ALLOWED_ROLES;
+
+  if (options?.allowedRoles) {
+    if (Array.isArray(options.allowedRoles)) {
+      allowedRoles = options.allowedRoles;
+    } else if (typeof options.allowedRoles === 'string') {
+      //if for some reason it comes as a string, split it
+      allowedRoles = (options.allowedRoles as string).split(',');
+    }
+  }
+
   return {
     passwordHash: null,
     metadata: options?.metadata || {},
@@ -66,11 +77,9 @@ export const transformOauthProfile = async (
     emailVerified,
     defaultRole: options?.defaultRole || ENV.AUTH_USER_DEFAULT_ROLE,
     roles: {
-      data: (options?.allowedRoles || ENV.AUTH_USER_DEFAULT_ALLOWED_ROLES).map(
-        (role) => ({
-          role,
-        })
-      ),
+      data: allowedRoles.map((role) => ({
+        role,
+      })),
     },
     locale,
     displayName,
diff --git a/test/oauth/__snapshots__/transform-profile.test.ts.snap b/test/oauth/__snapshots__/transform-profile.test.ts.snap
index fbf0e60ed..5afa9da77 100644
--- a/test/oauth/__snapshots__/transform-profile.test.ts.snap
+++ b/test/oauth/__snapshots__/transform-profile.test.ts.snap
@@ -1,5 +1,51 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`OAuth helpers should handle an array of allowed roles 1`] = `
+Object {
+  "avatarUrl": "https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1234567890123456&height=50&width=50&ext=1234567894&hash=Qdiofewu-OPO",
+  "defaultRole": "user",
+  "displayName": "Bob Smith",
+  "email": "bob.smith@gmail.com",
+  "emailVerified": false,
+  "locale": "en",
+  "metadata": Object {},
+  "passwordHash": null,
+  "roles": Object {
+    "data": Array [
+      Object {
+        "role": "user",
+      },
+      Object {
+        "role": "me",
+      },
+    ],
+  },
+}
+`;
+
+exports[`OAuth helpers should handle comma separated allowedRoles 1`] = `
+Object {
+  "avatarUrl": "https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1234567890123456&height=50&width=50&ext=1234567894&hash=Qdiofewu-OPO",
+  "defaultRole": "user",
+  "displayName": "Bob Smith",
+  "email": "bob.smith@gmail.com",
+  "emailVerified": false,
+  "locale": "en",
+  "metadata": Object {},
+  "passwordHash": null,
+  "roles": Object {
+    "data": Array [
+      Object {
+        "role": "user",
+      },
+      Object {
+        "role": "me",
+      },
+    ],
+  },
+}
+`;
+
 exports[`OAuth helpers should transform a Facebook profile 1`] = `
 Object {
   "avatarUrl": "https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1234567890123456&height=50&width=50&ext=1234567894&hash=Qdiofewu-OPO",
diff --git a/test/oauth/transform-profile.test.ts b/test/oauth/transform-profile.test.ts
index 8081c3f84..db77220db 100644
--- a/test/oauth/transform-profile.test.ts
+++ b/test/oauth/transform-profile.test.ts
@@ -86,4 +86,50 @@ describe('OAuth helpers', () => {
     const output = await transformOauthProfile(normalisedProfile);
     expect(output).toMatchSnapshot();
   });
+
+  it('should handle an array of allowed roles', async () => {
+    const facebookProfile = {
+      id: '1234567890123456',
+      name: 'Bob Smith',
+      email: 'bob.smith@gmail.com',
+      picture: {
+        data: {
+          height: 50,
+          is_silhouette: false,
+          url: 'https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1234567890123456&height=50&width=50&ext=1234567894&hash=Qdiofewu-OPO',
+          width: 50,
+        },
+      },
+    };
+    const normalisedProfile = await normaliseProfile('facebook', {
+      profile: facebookProfile,
+    });
+    const output = await transformOauthProfile(normalisedProfile, {
+      allowedRoles: ['user', 'me'],
+    });
+    expect(output).toMatchSnapshot();
+  });
+
+  it('should handle comma separated allowedRoles', async () => {
+    const facebookProfile = {
+      id: '1234567890123456',
+      name: 'Bob Smith',
+      email: 'bob.smith@gmail.com',
+      picture: {
+        data: {
+          height: 50,
+          is_silhouette: false,
+          url: 'https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1234567890123456&height=50&width=50&ext=1234567894&hash=Qdiofewu-OPO',
+          width: 50,
+        },
+      },
+    };
+    const normalisedProfile = await normaliseProfile('facebook', {
+      profile: facebookProfile,
+    });
+    const output = await transformOauthProfile(normalisedProfile, {
+      allowedRoles: 'user,me' as any,
+    });
+    expect(output).toMatchSnapshot();
+  });
 });