Google workspace groups seemingly unavailable in `onExecutePostLogin`


We’ve successfully paired our IDP (Google Workspace) with Auth0 for an enterprise SSO integration. Our login flow must either succeed or fail based on the incoming user’s GW group(s).

event.user.groups doesn’t appear to exist. but this is where the groups are located in ‘raw JSON’ for any given user.

I can verify that google workspace integration works as expected as the groups are synced correctly and visible under user.groups in the auth0 console.

Any idea how we can tap into these?

Hi @DevOpsPerson,

Thanks for reaching out to the Auth0 Community!

First, the event.user.groups is not a callable property as you observed. See here for the complete list of callable Post-Login Action event objects.

Next, could you please share a snippet of the raw JSON of the user?

And, could you please clarify if the groups can be found in the user object when using the Management API Get a User endpoint?

Thank you.

Similar issue. Trying to add the user.groups into custom claims using onExecutePostLogin. The raw json of the user looks like this in my example:

The groups can be found in the user object when using the management API.

1 Like

Seems to go back to those 2 topics:

Since it’s been a year, I wonder if there is any update for this fix?

Hi @yibo,

Thank you for your responses.

I suspect that the Auth0 Action does not allow any way to call the event.user.groups property since it is not a part of the callable properties.

Because you can get the user’s "groups" using the Management API, I suggest calling the Management API within your Action script to be used for your logic (e.x appending to custom claims).

Please see our How can I use the Management API in Actions? FAQ to learn more.

In this case, you will need to call the ManagementClient getUser() method to retrieve the user’s profile.

Please let me know if there’s anything else I can do to help.

Thank you.

1 Like

Thank you for the answer! Having ever user login to call Management API will not be ideal, specially now Auth0 applies pretty strict rate limit on it.

Also I found out that Auth0 Rules is able to use user.groups, the template Active Directory group membership Rules demonstrates that. It sounds weird to me that Auth0 Actions can’t, while we are encouraged to migrate to Actions.

Hi @yibo,

Thank you for your response.

Yes, I understand that you may hit Rate Limits when using the Management API in an Action.

I am glad you could workaround this issue using an Auth0 Rule.

Yes, I completely understand. At the time of writing this response, there is still a feature gap between Auth0 Actions and Rules. Therefore, we still encourage you to migrate to Actions where possible and to continue using Rules until there is feature parity between them.

We apologize for any inconvenience that this may have caused you.

Please reach out if there’ anything else I can do to help.

Thank you.