Can You Grant an Access Token on Behalf of an Organisation?

aidan.temple · May 2, 2022, 6:44am

Is it possible in Auth0 to have a user grant access to a third party on behalf of an organisation?

We’ve tried using the Authorization Code flow with the organisation parameter. But the resulting token is for a user, not for an organisation. This distinction is important in our application because we want to allow multiple users to manage this integration. In the current prototype, we run into the problem that when a user leaves the organisation, the integration is no longer valid since the access token is for the user, not the organisation.

We like the Authorization Code flow since it contains the consent prompt for the user and is an open standard that is easy for third parties to implement. We are open to other OAuth 2.0 flows but would like to keep it as close to the standard as possible.

tyf · May 16, 2022, 10:09pm

Hey there @aidan.temple sorry for the delayed response, and welcome to the community!

I don’t believe this is possible

While I’m not totally clear on your case, it sounds like you might be interested in Role-Based Access Control (RBAC) - Basically, you could create a role, assign it to users, and if a user does leave the organization you remove the role. It’s pretty straightforward to add a user’s roles to a token, see this post.
https://auth0.com/docs/manage-users/organizations/configure-organizations/add-member-roles

Hopefully this at least gives you something to work with!

tyf · May 31, 2022, 10:09pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.