We’ve successfully paired our IDP (Google Workspace) with Auth0 for an enterprise SSO integration. Our login flow must either succeed or fail based on the incoming user’s GW group(s).
event.user.groups doesn’t appear to exist. but this is where the groups are located in ‘raw JSON’ for any given user.
I can verify that google workspace integration works as expected as the groups are synced correctly and visible under user.groups in the auth0 console.
I suspect that the Auth0 Action does not allow any way to call the event.user.groups property since it is not a part of the callable properties.
Because you can get the user’s "groups" using the Management API, I suggest calling the Management API within your Action script to be used for your logic (e.x appending to custom claims).
Thank you for the answer! Having ever user login to call Management API will not be ideal, specially now Auth0 applies pretty strict rate limit on it.
Also I found out that Auth0 Rules is able to use user.groups, the template Active Directory group membership Rules demonstrates that. It sounds weird to me that Auth0 Actions can’t, while we are encouraged to migrate to Actions.
Yes, I understand that you may hit Rate Limits when using the Management API in an Action.
I am glad you could workaround this issue using an Auth0 Rule.
Yes, I completely understand. At the time of writing this response, there is still a feature gap between Auth0 Actions and Rules. Therefore, we still encourage you to migrate to Actions where possible and to continue using Rules until there is feature parity between them.
We apologize for any inconvenience that this may have caused you.
Please reach out if there’ anything else I can do to help.