Issue with custom group management in Sanity SSO login

8 replies
Last updated: Sep 10, 2020
Has anyone here successfully done 3rd-party SSO login with custom group management in Sanity?
We've gotten this all working -- groups are created with grants, users are added to the groups on login, and we do the tokenized claim to generate a Sanity session.

It works with one big problem, studio content is not editable. Every change is rejected with

Insufficient permissions; permission "create" required
I'll post more detail in the thread.
Aug 13, 2020, 10:23 PM
I've tried tokenizing the Sanity claim using both
, which are the only two options according to the docs.
Our custom groups are called
. Here's what the
one looks like:

  "_createdAt": "2020-08-12T00:09:18Z",
  "_id": "_.groups.admin",
  "_rev": "yUhunRJNe7KBgGINQx9Qma",
  "_type": "",
  "_updatedAt": "2020-08-12T00:13:28Z",
  "grants": [
      "path": "*",
      "permissions": [
  "members": [
Note the full permissions. At least the way I'm reading the docs,
"path": "*",
is supposed to grant access to everything? Or do I need additional filters to make it work?
Aug 13, 2020, 10:31 PM
BTW shout out to
user Y
-- I used the Community Studio project as a reference point in how I wrote mine, which has gotten me really far! Let me know if you can think of any gotchas that might be causing this issue, thanks!
Aug 13, 2020, 10:33 PM
Aug 13, 2020, 11:48 PM
user R
Do you have custom access control activated on your plan? SSO is usually an enterprise feature that needs to be activated before you get access to the
Aug 14, 2020, 8:47 AM
user J
yes, Enterprise
Aug 14, 2020, 3:51 PM
Cool thanks
user H
Aug 14, 2020, 4:22 PM
Gotcha. Thanks. I think the doc that threw me off was — path: *“**” is so commonly used to mean “anything” in the world at large that I assumed it did here as well.
Aug 14, 2020, 4:31 PM
user E
Sorry I didn't get back to you with more general info, but for the most part we followed the several example apps out there including the Community Studio project on Github, and followed the Sanity docs, to achieve Sanity login after we did 3rd-party SSO authorization. In our case we are using Vercel as our host, which has built-in serverless api routes, so I have sanity's login config direct to our /api/login route which makes the SSO call and provides a second route as the handler. I was able to successfully leverage the nextjs-auth0 library to do this serverside without needing to include nextjs as a peer dep. Auth0 is meanwhile working on upgrading their libs to be a bit more generic and avoid the confusion of needing to use something labeled 'nextjs' when really it works fine with just Vercel.
Sep 10, 2020, 6:04 PM

Sanity– build remarkable experiences at scale

The Sanity Composable Content Cloud is the headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?