Add organization support for Resource Owner Password flow

dparker · December 22, 2023, 5:56am

Feature:
Allow passing the organization parameter during the ROP flow.

Description:
I have read the current limitations around organizations. Whilst this makes sense for the Client Credentials flow it really doesn’t make sense for the ROP flow. After all, we’re authenticating a user, who could quite well be part of more than 1 organization.

Use-case:
I have a client whose business structure is made up of multiple sub organizations.
Whilst some users are only members of 1 sub organization, other users are members of multiple sub orgs and hold different roles under each.
We need to use the ROP because we cannot handle redirects and all code is executed in trusted environments.

dan.woda · December 22, 2023, 7:19pm

Thanks for adding this feature request @dparker!

j.krabs · January 11, 2024, 7:22am

+1 for this request.
We use the ROP in some automated tests and therefore had to mock some organization-data. I think this feature would solve some ugly workarounds for us.

not sure, but maybe this topic is related
Generate access tokens for organization members (automated testing) - Auth0 Community

max.fraser · January 24, 2024, 6:41pm

I have a similar issue where I want to grant API access but need to verify Organization Members Roles. It could be different for each Organization and potential nonexistent for other Organizations they are a member of.

dan.woda · January 24, 2024, 7:56pm

Thanks for the feedback @max.fraser and welcome to the Auth0 Community!

john22 · February 7, 2024, 5:35pm

+1 - Super surprised that customers using organizations don’t have a way to generate org-scoped tokens for testing.

How are people testing their applications today? Is the only alternative trying to spin up some mechanism to use a headless browser to login?

thomas.schaller · May 8, 2024, 8:16am

+1 - Same issue on my side. I am using ROP flow for integration tests, and these users have some specific roles in one organization. I am using RABC + add permissions claims in the Access Token, but since we are not able to login though an organization, no permission are added in the access token. This is very blocking on our side, because the only solution (which is not secure) is to add these roles globally to these test users.

max.fraser · May 8, 2024, 10:48am

I ended up creating a TokenValidationService middleware on my API that gets called when the token is validated. I check if the qty claim is set to ‘password’, if it is then I make additional calls to to auth0 to get my users organizations and roles and add those to the claims. It is working well, just a bit of overhead on the first call, caching additional requests for subsequent api calls.

I am using .net, pretty simple to setup - see below if it helps:

builder.Services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    })
    .AddJwtBearer(options =>
    {
        options.Authority = auth0Settings?.Authority; 
        options.Audience = auth0Settings?.Audience;
        options.RequireHttpsMetadata = false;
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidAudience = auth0Settings?.Audience,
            ValidIssuer = auth0Settings?.Domain,
            ValidateLifetime = true,
        };
        options.Events = new JwtBearerEvents
        {
            OnTokenValidated = async context =>
            {
                var tokenValidationService = context.HttpContext.RequestServices.GetRequiredService<TokenValidationService>();
                await tokenValidationService.OnTokenValidatedAsync(context);
            }
        }; 
    });

then just implement your TokenValidationService to parse and add additional claims.