Hi @paul.bowyer
Welcome to the Auth0 Community!
The reason why the log in fails after registration is due to the fact that the access token is being generated and provided prior to the action being executed, meaning that your application will receive an access token where the user is not part of any organization and be denied access. This would be considered expected behaviour.
As a work around to this issue, I would recommend to enable sign-ups to your organizations and then handle in a post login trigger/post registration trigger the assignment to the correct organization. This might be troublesome because the user might be assigned to multiple organizations and then you would need to remove them and only keep the one they need to be a part of. In this scenarios if an user who does not have a domain which is supposed to be part of any organization, just deny access to the application using api.access.deny('reason') and delete the user.
I believe the best approach for your use case would be to display a message to your users prompting them to re-authenticate after registration in order for the access token. A better alternative would be to set your organization to allow users without an organization to register by selecting Both on the organization’s settings. This way, if your application detects that their access token does not have an organization, they will be prompted to re-authenticate or you could retrieve an access token silently and just deny access to users whose domain is not part of any organization.
If you have any other questions on the matter, let me know!
Kind Regards,
Nik