There are numerous differences between Auth0 and other authentication providers. The user interface doesn’t have a way to add roles or groups to tokens or users.

To apply user rights in an application, information about individual roles or group membership is needed in an SSO context.

The article assumes an OpenID connect setup, like with Magnolia SSO. It is also presumed that you have successfully configured your Auth0 client application.

Add information about roles

Create a new action

Select Actions, Library, Custom, Create Action, Build from Scratch.

Auth0 Actions Library
Auth0 Custom Action

Add action information

Auth0 Custom Action Information

Provide the code for the custom action

Auth0 Custom Action Code

This is the code:

exports.onExecutePostLogin = async (event, api) => {
  if (event.authorization) {
    api.idToken.setCustomClaim('ssogroups', event.authorization.roles);
  }
};

Create a Trigger

We need to add our action to a so-called trigger to execute it after a user has authenticated.

Select Actions, Triggers, post-login.

Auth0 Post-Login Trigger

Drag our custom action between Start and Complete, like in the screenshot below. Click Apply.

Auth0 Post-Login Trigger Flow

User Information Result

If everything is okay, you should see something like this:

{
    "sub": "auth0|5cb87e311f3ab11f19fe7613",
    "nickname": "siegurd.schnaetterchen",
    "name": "[email protected]",
    "picture": "https://s.gravatar.com/avatar/98f0cb1f616d3238ac09c72ea4085d4e?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fla.png",
    "updated_at": "2025-02-10T13:39:55.576Z",
    "email": "[email protected]",
    "email_verified": true,
    "ssogroups": [
        "admins",
        "superusers",
        "travel-demo-editors"
    ]
}

ssogroups has been added to the user information result.

Naming conventions

⚠️ Unfortunately, you can’t assign the names “groups” or “roles” in the Action script. The example uses “ssogroups” because of this. This means you need to set up the client integration (like Magnolia SSO) to read the claim with the name you gave it.

Summary

The article provides a step-by-step guide on creating a custom Auth0 action to include role or group data in an ID token. It explains how to use a post-login trigger to store user roles as a custom claim (ssogroups). The result is an ID token containing group memberships, which can be used in an SSO setup like Magnolia CMS. The names “groups” and “roles” cannot be used directly in the action script.