Adding a member to an org via post-user registration

Hello as the title suggests I am exploring a specific business requirement where I need to add a member to an organisation based on w/e or not the user domain (user trying to sign-up) matches a allowed_domains property that is defined as metadata in a bunch of organisations.

Now I have the following setup:

  1. After a user registers, the post user-registration Action extracts their email domain (e.g., “abv.bg” from “user@abv.bg”).

  2. It then retrieves all organizations using the Auth0 Management API and checks each organization’s “allowed_domains” metadata.

  3. If the user’s domain matches (including handling wildcards like “*.abv.bg”), the Action adds the user to that organization using the Management API.

From the logs, the sequence of events:

  • 08:24:25.831Z - Success Signup: The user successfully signs up using the “Username-Password-Authentication” connection for the “ABCDE” application.

  • 08:24:26.054Z - Failed Login: Just 0.223 seconds later, a login attempt fails with the error “client requires organization membership, but user does not belong to any organization.” This indicates that the application requires users to be part of an organization to log in successfully.

  • 08:24:28.172Z - Success Exchange: The system exchanges client credentials for an Access Token (likely for the Management API), which happens as part of the post-registration Action preparing to add the user to an organization.

  • 08:24:28.507Z - API Operation: The user is successfully added to an organization via the Management API, approximately 2.5 seconds after the failed login attempt.

As of my understanding the root issue seems to be:

  • After signup, the application immediately attempts to log the user in.

  • The post user-registration Action, which adds the user to an organization based on their email domain, is asynchronous. It runs in the background and doesn’t complete before the login attempt.

  • Since the application requires organization membership for login, and the user isn’t yet in an organization, the login fails.

  • Only after this failure does the Action complete, adding the user to the organization, BUT by then, the user has already encountered an error.

Now I assume that the practical solution would be to adjust the client applications behavior to account for the asynchronous nature of the post-registration Action.

The goal is to ensure the login attempt succeeds by giving the Action enough time to complete, but ideally I would prefer not to have to implement hacky timers to delay the FE application and or worse have to write some retry mechanism that attempts to login the user after a period of time to make up for the delayed async action. I am wondering if there is a legit way of dealing with this?

Hi @paul.bowyer

Welcome to the Auth0 Community!

The reason why the log in fails after registration is due to the fact that the access token is being generated and provided prior to the action being executed, meaning that your application will receive an access token where the user is not part of any organization and be denied access. This would be considered expected behaviour.

As a work around to this issue, I would recommend to enable sign-ups to your organizations and then handle in a post login trigger/post registration trigger the assignment to the correct organization. This might be troublesome because the user might be assigned to multiple organizations and then you would need to remove them and only keep the one they need to be a part of. In this scenarios if an user who does not have a domain which is supposed to be part of any organization, just deny access to the application using api.access.deny('reason') and delete the user.

I believe the best approach for your use case would be to display a message to your users prompting them to re-authenticate after registration in order for the access token. A better alternative would be to set your organization to allow users without an organization to register by selecting Both on the organization’s settings. This way, if your application detects that their access token does not have an organization, they will be prompted to re-authenticate or you could retrieve an access token silently and just deny access to users whose domain is not part of any organization.

If you have any other questions on the matter, let me know!

Kind Regards,
Nik

1 Like

Hey thanks for your reply!

I ended up creating a intermediate page where I display a message to the user on the FE that their account has been finalized and that they need to verify their email.

I have a lambda in post-login which checks if the user is verified also so by the time the user verifies their email the post user-registration lambda would have kicked in adding a user to an org. This solves our problem.