Watch a live product demo 👀 See how Sanity powers richer commerce experiences

3rd Party SSO Login with Custom Group Management

14 replies
Last updated: Sep 24, 2020
Has anyone here successfully done 3rd-party SSO login with custom group management in Sanity?
We've gotten this all working -- groups are created with grants, users are added to the groups on login, and we do the tokenized claim to generate a Sanity session.

It works with one big problem, studio content is not editable. Every change is rejected with

Insufficient permissions; permission "create" required
I'll post more detail in the thread.
Aug 13, 2020, 10:23 PM
I've tried tokenizing the Sanity claim using both
, which are the only two options according to the docs.
Our custom groups are called
. Here's what the
one looks like:

  "_createdAt": "2020-08-12T00:09:18Z",
  "_id": "_.groups.admin",
  "_rev": "yUhunRJNe7KBgGINQx9Qma",
  "_type": "",
  "_updatedAt": "2020-08-12T00:13:28Z",
  "grants": [
      "path": "*",
      "permissions": [
  "members": [
Note the full permissions. At least the way I'm reading the docs,
"path": "*",
is supposed to grant access to everything? Or do I need additional filters to make it work?
Aug 13, 2020, 10:31 PM
BTW shout out to
user Y
-- I used the Community Studio project as a reference point in how I wrote mine, which has gotten me really far! Let me know if you can think of any gotchas that might be causing this issue, thanks!
Aug 13, 2020, 10:33 PM
Aug 13, 2020, 11:48 PM
user R
Do you have custom access control activated on your plan? SSO is usually an enterprise feature that needs to be activated before you get access to the
Aug 14, 2020, 8:47 AM
user J
yes, Enterprise
Aug 14, 2020, 3:51 PM
user R
! The path
actually only refers to documents with no prefixed path, ie
, so the path
will also include
. When you try to edit or create a new document in the Studio, whats actually being created is a draft
Aug 14, 2020, 4:11 PM
This is a little unintuitive, so I understand your confusion 🙂 Path expressions are defined here
In path expressions, * is taken to mean "anything up to the next period", while ** means "anything including periods".
The gotcha is, again, that creating a new document means a
prefiix, which wont match
, and the solution should be to change it to
for the path value in your grant
Aug 14, 2020, 4:13 PM
Cool thanks
user H
Aug 14, 2020, 4:22 PM
Np. Suggest looking into the
property instead of
if you need more fine grained control over grants. You can achieve the same with
"grants": [
      "filter": "_id in path('**')",
      "permissions": [
for example, but also add any other groq filter in there (except reference joins
Aug 14, 2020, 4:25 PM
Gotcha. Thanks. I think the doc that threw me off was — path: *“**” is so commonly used to mean “anything” in the world at large that I assumed it did here as well.
Aug 14, 2020, 4:31 PM
I can definitely empathize with that, and I’ll bring this feedback to the docs team! Thank you Moses, and hope you get your access control under control 🙂
Aug 14, 2020, 5:15 PM
user R
,We've gone much of the same path as you and solved many of the same problems around granting access. We haven't gotten to the SSO part yet, though, so if you have anything to share with the experience you have now, it would be great.
Aug 15, 2020, 12:18 PM
user E
Sorry I didn't get back to you with more general info, but for the most part we followed the several example apps out there including the Community Studio project on Github, and followed the Sanity docs, to achieve Sanity login after we did 3rd-party SSO authorization. In our case we are using Vercel as our host, which has built-in serverless api routes, so I have sanity's login config direct to our /api/login route which makes the SSO call and provides a second route as the handler. I was able to successfully leverage the nextjs-auth0 library to do this serverside without needing to include nextjs as a peer dep. Auth0 is meanwhile working on upgrading their libs to be a bit more generic and avoid the confusion of needing to use something labeled 'nextjs' when really it works fine with just Vercel.
Sep 10, 2020, 6:04 PM
Thank you for this! 🙂
Sep 24, 2020, 2:09 PM

Sanity– build remarkable experiences at scale

The Sanity Composable Content Cloud is the modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Related answers

Get more help in the community Slack

TopicCategoriesFeaturedRepliesLast Updated
After adding the subtitle and running this code npm run graphql-deploy It does nothingSep 15, 2020
how to limit a reference to just one entry in Studio reference input side versus the default as-many-entries-as-you-fill-in-an-array...Sep 18, 2020
Is it possible to fetch more than one "_type" using GROQ?Nov 2, 2020
I want to add a view with the Structure builder (S.view.component) where I list similar documents based on the title. What...Sep 23, 2020
Is there a structure builder example where the format of each preview for the document list is modified?Feb 3, 2021
I have an array of references to a country schema type but it always just returns NULL values for meJan 30, 2021
Hi, I need help with a query for getting the url of an image asset. Here is what I've been trying, but I only get the _ref...Dec 1, 2020
Sanity UI looks brilliant :smiley: Is something like the current date picker possible at the moment? I’m not sure if anicon...Dec 21, 2020
Hey everyone. I have been coding and may have potentially accidentally deleted something. Does anyone know how to resolve...Dec 26, 2020
Hello everyone and happy new year :raised_hands::skin-tone-2:, I have a problem with outputting Portable Text :disappointed:...Jan 1, 2021

Related contributions

Clean Next.js + Sanity app
- Template

Official(made by Sanity team)

A clean example of Next.js with embedded Sanity ready for recomposition.

Cody Olsen
Go to Clean Next.js + Sanity app

Blog with Built-in Content Editing
- Template

Official(made by Sanity team)

A Sanity-powered blog with built-in content editing and instant previews.

Go to Blog with Built-in Content Editing