Auth0 migration: user table with organizations


We are currently considering migrating our user management and authentication process on auth0. I had a few questions relating to the way we should organize users table both in auth0 environment and in our own platform.

Right now, we have 2 levels in our identity system:

  • The user
  • The organization the users belong to (a given user - eg email address - can only belong to a single organization)

We use solely relational DB. User and Organizations are currently 2 tables with 1-to-N relationship.

Then most of the resources (for example an article) are associated with one or several organizations (by means of a foreign key in the resource table).

We would like to maintain this double level of identity user / organization in auth0.

So 3 questions here:

  1. how can the double level (user/organization) be described on auth0 side?
  • I’ve checked quickly auth0 “organization” concept but it involves having a tenant per organization which is quite an overkill to us. Plus we do not want the user to have to enter its organization name when logging, as a given user maps to only one organization anyway
  • Using app_metadata to describe organization belonging seems the most sensible way, but how would that work if I need to modify the data of a single organization without having to modify each and every user record?
  1. When decoding a token generated by auth0, I would then need to know both the user and organization identities. What is the easiest way to do that? I was maybe considering using “sub” claim to return the user UUID (I want an UUID, not auth0’s user_id), and have a custom additional “org” claim to return the organization UUID?

  2. As access to resources is primarily conditioned by SQL relations, we think it makes sense to maintain also in our platform both the user and organization tables (this is what is recommended here: User Data Storage ( User management would be done in Auth0, so this is where the most up-to-date user table would be found. Yet, what synchronization process do you recommend? Right now the token is verified at every single API call, but it doesn’t seem reasonable updating the data each time an API call is made to our application, as it would add some latency.

Many thanks for your help!