Cannot login to Organization

alan.hay · May 1, 2025, 4:20pm

I have multiple organizations, each of which has a single connection (with strategy=auth0 ) defined.

There is a single client app and the connections are all enabled for this app.

All users belong to a single org.

The documentation would suggest that in this scenario I do not need to pass the ?organization=org_id as part of the auth request. Authentication works when I do pass it however when I don’t pass it authentication fails and the logs indicate the wrong connection (sore some completely different org) was used.

Is there any reason this might happen or is the organization parameter required?

nik.baleca · May 2, 2025, 4:21pm

Hi @alan.hay

Welcome to the Auth0 Community!

Indeed, if the connection used by the user has auto membership enabled under the organization’s settings and if that connection is enabled on the application, it should allow users to log in without any issued and add them to the organization as well if they were not a part of it yet.

May I ask what kind of connection are you using (database/social/enterprise) and what is the organization settings for the application (individuals/business users/both)?

Kind Regards,
Nik

alan.hay · May 7, 2025, 9:59am

I am not sure if I am misunderstanding something fundamental here. My general approach is to have a connection per org. For now these are all database connections.

Client App is configured for business users only:

    "organization_usage": "require",
    "organization_require_behavior": "post_login_prompt",

So I have an org

 {
   "id": "org_8Gewxxx",
   "name": "00f18930-xxx",
   "display_name": "White Region",
   "metadata": {
     "password_expiry_days": "365"
   }
 },

with a single enabled connection.

[
  {
    "connection_id": "con_XMjcxxx",
    "assign_membership_on_login": true,
    "is_signup_enabled": false,
    "show_as_button": true,
    "connection": {
      "name": "connection-for-white-region",
      "strategy": "auth0"
    }
  }

connection details

  {
    "id": "con_XMjcxxx",
    "options": {
      "mfa": {
        "active": true,
        "return_enroll_settings": true
      },
      "attributes": {
        "email": {
          "signup": {
            "status": "required",
            "verification": {
              "active": true
            }
          },
          "identifier": {
            "active": false
          },
          "profile_required": true,
          "verification_method": "link"
        },
        "username": {
          "signup": {
            "status": "required"
          },
          "identifier": {
            "active": true
          },
          "validation": {
            "max_length": 15,
            "min_length": 1,
            "allowed_types": {
              "email": false,
              "phone_number": false
            }
          },
          "profile_required": true
        }
      },
      "passwordPolicy": "good",
      "passkey_options": {
        "challenge_ui": "both",
        "local_enrollment_enabled": true,
        "progressive_enrollment_enabled": true
      },
      "password_history": {
        "size": 6,
        "enable": true
      },
      "strategy_version": 2,
      "password_dictionary": {
        "enable": true
      },
      "authentication_methods": {
        "passkey": {
          "enabled": false
        },
        "password": {
          "enabled": true
        }
      },
      "brute_force_protection": true,
      "password_no_personal_info": {
        "enable": true
      },
      "password_complexity_options": {
        "min_length": 12
      }
    },
    "strategy": "auth0",
    "name": "connection-for-white-region",
    "is_domain_connection": false,
    "realms": [
      "connection-for-white-region"
    ],
    "enabled_clients": [
      "Xoscxxx", //management api
      "ntW3xxx" //SPA client
    ]
  }

And a user with a single identity

  {
    "created_at": "2025-05-06T15:03:56.799Z",
    "email": "alan.hay+20@xxx",
    "email_verified": true,
    "family_name": "Hay",
    "given_name": "Alan",
    "identities": [
      {
        "connection": "connection-for-white-region",
        "user_id": "0955bf29-xxx",
        "provider": "auth0",
        "isSocial": false
      }
    ],
    "name": "Alan Hay",
    "nickname": "Alan",

    "updated_at": "2025-05-06T15:10:25.846Z",
    "user_id": "auth0|0955bf29-xxx",
    "user_metadata": {
      "check_email_verification": true
    },
    "username": "alhayxxx",
    "blocked": false,
    "last_password_reset": "2025-05-06T15:10:25.832Z",
  }

If would expect, if I am understanding the documentation correctly, that when the user belongs to only a single org then that should be resolved at authentication time and I do not need to pass the organization name or id with the auth request.

However when I do not explicitly send the organization id/name as part of the auth request then the login attempt is made against a connection to which the user has no relationship (but is enabled for the same client app).

So I am not sure if my understanding is fundamentally wrong or if some other config is breaking this. Or is this due to the fact that we use a connection per org rather than a single connection and at the point of authentication then without the organization param it cannot be determined which database to look in for the credentials? I am guessing this is my issue. If we were using email identifiers rather than user name then we could use HRD to determine the correct connection (assuming a single connection per org).

Log Extract

 {
    "date": "2025-05-07T09:12:18.920Z",
    "type": "fu",
    "description": "Wrong email or password.",
    "connection": "Blue-Region",
    "connection_id": "con_HfD7xxx",
    "client_id": "ntW3xxx",
    "client_name": "xxx",
    "ip": "xxx",
    "user_agent": "Chrome 136.0.0 / Linux 0.0.0",
    "details": {
      "error": {
        "message": "Wrong email or password."
      }
    },
    "user_id": "",
    "user_name": "alhayxxx",
    "strategy": "auth0",
    "strategy_type": "database",
    "$event_schema": {
      "version": "1.0.0"
    },
    "log_id": "90020250507091219005460000000000000001223372051404369952",
    "tenant_name": "dev-f2r5xxx",
    "_id": "90020250507091219005460000000000000001223372051404369952",
    "isMobile": false
  },

nik.baleca · May 9, 2025, 5:39pm

Hi again!

I am sorry about the late reply!

Indeed, as mentioned in the documentation, if an user is part of a single organization and with the settings you have mentioned above, they should be able to authenticate without any issues using the specific connection they are a part and the organization.

Could you provide me through a DM the tenant name on which you are experiencing this issue?

Also, is the user by any chance part of both connections or has multiple identities with multiple connection? I believe the user might be forced to authenticate using the primary identity available in the dashboard.

Kind Regards,
Nik

nik.baleca · May 15, 2025, 7:50pm

Hi @alan.hay

Thanks for you patience while I was researching the issue that you are experiencing.

The main causes for the issue that you are having are:

You are using username as an identifier for multiple connection
You are using an user created within the Dashboard
Your tenant has a default directory configured

Basically, if an user created within the dashboard tried to authenticate for the first time, the connection used for that user will be the default one set on your tenant. From what I have tested, it appears that the user’s connection and organization are not identified while logging in if they were created within the Dashboard.

If you would have been using email as an identifier instead of usernames, this would have been avoided.

In conclusion, to resolve the issue either the flow that you are looking to implement needs to allow an user to sign up within an organization and connection or just simply remove the default directory set from Dashboard-> Settings → General → API Authorization Settings → Default Directory.

Once you have removed it, the users should be able to authenticate normally even if they were created within the Dashboard/Management API without having to specify the connection or organization.

If you have any other questions, let me know!

Kind Regards,
Nik

system · May 29, 2025, 7:50pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Connection users cannot login to organization Get Help organizations	6	2737	April 13, 2022
Login with multiple connections break when using organisation invite email Get Help auth0 , connections , organizations	4	3153	October 29, 2021
Connection buttons when logging in with Organization Get Help connections , login , organizations	5	3205	May 12, 2022
Incorrect connection used in api? Get Help connections , regular-database-connections	5	1914	February 17, 2023
Can I prevent users who belong to organization from logging in with applications that are not linked to my organization? Get Help	3	3129	January 26, 2022

Cannot login to Organization

Related topics