Hello as the title suggests I am exploring a specific business requirement where I need to add a member to an organisation based on w/e or not the user domain (user trying to sign-up) matches a allowed_domains property that is defined as metadata in a bunch of organisations.
Now I have the following setup:
-
After a user registers, the post user-registration Action extracts their email domain (e.g., “abv.bg” from “user@abv.bg”).
-
It then retrieves all organizations using the Auth0 Management API and checks each organization’s “allowed_domains” metadata.
-
If the user’s domain matches (including handling wildcards like “*.abv.bg”), the Action adds the user to that organization using the Management API.
From the logs, the sequence of events:
-
08:24:25.831Z - Success Signup: The user successfully signs up using the “Username-Password-Authentication” connection for the “ABCDE” application.
-
08:24:26.054Z - Failed Login: Just 0.223 seconds later, a login attempt fails with the error “client requires organization membership, but user does not belong to any organization.” This indicates that the application requires users to be part of an organization to log in successfully.
-
08:24:28.172Z - Success Exchange: The system exchanges client credentials for an Access Token (likely for the Management API), which happens as part of the post-registration Action preparing to add the user to an organization.
-
08:24:28.507Z - API Operation: The user is successfully added to an organization via the Management API, approximately 2.5 seconds after the failed login attempt.
As of my understanding the root issue seems to be:
-
After signup, the application immediately attempts to log the user in.
-
The post user-registration Action, which adds the user to an organization based on their email domain, is asynchronous. It runs in the background and doesn’t complete before the login attempt.
-
Since the application requires organization membership for login, and the user isn’t yet in an organization, the login fails.
-
Only after this failure does the Action complete, adding the user to the organization, BUT by then, the user has already encountered an error.
Now I assume that the practical solution would be to adjust the client applications behavior to account for the asynchronous nature of the post-registration Action.
The goal is to ensure the login attempt succeeds by giving the Action enough time to complete, but ideally I would prefer not to have to implement hacky timers to delay the FE application and or worse have to write some retry mechanism that attempts to login the user after a period of time to make up for the delayed async action. I am wondering if there is a legit way of dealing with this?