Can I prevent users who belong to organization from logging in with applications that are not linked to my organization?

Our product tries to support both users who belong to an organization and users who do not belong to an organization.
We have prepared two types of applications, one for normal login and the other for login with organization prompt.
We have confirmed that users who are registered as members of the organization can login by entering the organization prompt, but there was a problem that they could also login with the application without the organization prompt.
We think this is because the Database Connection is the same.
Is there any way to make it so that users belonging to an organization can only log in to an application that has an organization prompt?

Hi @mikan3rd

This sounds complex, and like there may be another approach (like having two DB connections, one for organizations and one for non).

You can do two workarounds, but I do consider both to be workarounds, and not solid architecture:
The app can check the ID token and ensure the user is a member of the org, and if not, do something reasonable.
You can write an action/rule to verify organization membership and fail the auth if needed.



Thanks for the answer.

I found that I can get the client_id used for login in the Custom Action of Post-Login.

However, I could not find out how to determine whether the logged-in user belongs to an organization or not.

How can I make sure that the user belongs to the organization?

Incidentally, it seems that event.organization can only be retrieved if there is an organization prompt.

exports.onExecutePostLogin = async (event, api) => {
  // How can I make sure that the user belongs to the organization?

HI @mikan3rd

There’s a potential terminology issue here. Auth0 has a feature called “Organizations”. I am assuming you are NOT referring to Auth0’s Organizations.

To determine if a user is a member of your organization, you will need to store the organization in the user’s app_metadata.