Feature:
Allow passing the organization parameter during the ROP flow.
Description:
I have read the current limitations around organizations. Whilst this makes sense for the Client Credentials flow it really doesn’t make sense for the ROP flow. After all, we’re authenticating a user, who could quite well be part of more than 1 organization.
Use-case:
I have a client whose business structure is made up of multiple sub organizations.
Whilst some users are only members of 1 sub organization, other users are members of multiple sub orgs and hold different roles under each.
We need to use the ROP because we cannot handle redirects and all code is executed in trusted environments.
+1 for this request.
We use the ROP in some automated tests and therefore had to mock some organization-data. I think this feature would solve some ugly workarounds for us.
I have a similar issue where I want to grant API access but need to verify Organization Members Roles. It could be different for each Organization and potential nonexistent for other Organizations they are a member of.
+1 - Same issue on my side. I am using ROP flow for integration tests, and these users have some specific roles in one organization. I am using RABC + add permissions claims in the Access Token, but since we are not able to login though an organization, no permission are added in the access token. This is very blocking on our side, because the only solution (which is not secure) is to add these roles globally to these test users.
I ended up creating a TokenValidationService middleware on my API that gets called when the token is validated. I check if the qty claim is set to ‘password’, if it is then I make additional calls to to auth0 to get my users organizations and roles and add those to the claims. It is working well, just a bit of overhead on the first call, caching additional requests for subsequent api calls.
I am using .net, pretty simple to setup - see below if it helps: