I am not sure if I am misunderstanding something fundamental here. My general approach is to have a connection per org. For now these are all database connections.
Client App is configured for business users only:
"organization_usage": "require",
"organization_require_behavior": "post_login_prompt",
So I have an org
{
"id": "org_8Gewxxx",
"name": "00f18930-xxx",
"display_name": "White Region",
"metadata": {
"password_expiry_days": "365"
}
},
with a single enabled connection.
[
{
"connection_id": "con_XMjcxxx",
"assign_membership_on_login": true,
"is_signup_enabled": false,
"show_as_button": true,
"connection": {
"name": "connection-for-white-region",
"strategy": "auth0"
}
}
connection details
{
"id": "con_XMjcxxx",
"options": {
"mfa": {
"active": true,
"return_enroll_settings": true
},
"attributes": {
"email": {
"signup": {
"status": "required",
"verification": {
"active": true
}
},
"identifier": {
"active": false
},
"profile_required": true,
"verification_method": "link"
},
"username": {
"signup": {
"status": "required"
},
"identifier": {
"active": true
},
"validation": {
"max_length": 15,
"min_length": 1,
"allowed_types": {
"email": false,
"phone_number": false
}
},
"profile_required": true
}
},
"passwordPolicy": "good",
"passkey_options": {
"challenge_ui": "both",
"local_enrollment_enabled": true,
"progressive_enrollment_enabled": true
},
"password_history": {
"size": 6,
"enable": true
},
"strategy_version": 2,
"password_dictionary": {
"enable": true
},
"authentication_methods": {
"passkey": {
"enabled": false
},
"password": {
"enabled": true
}
},
"brute_force_protection": true,
"password_no_personal_info": {
"enable": true
},
"password_complexity_options": {
"min_length": 12
}
},
"strategy": "auth0",
"name": "connection-for-white-region",
"is_domain_connection": false,
"realms": [
"connection-for-white-region"
],
"enabled_clients": [
"Xoscxxx", //management api
"ntW3xxx" //SPA client
]
}
And a user with a single identity
{
"created_at": "2025-05-06T15:03:56.799Z",
"email": "alan.hay+20@xxx",
"email_verified": true,
"family_name": "Hay",
"given_name": "Alan",
"identities": [
{
"connection": "connection-for-white-region",
"user_id": "0955bf29-xxx",
"provider": "auth0",
"isSocial": false
}
],
"name": "Alan Hay",
"nickname": "Alan",
"updated_at": "2025-05-06T15:10:25.846Z",
"user_id": "auth0|0955bf29-xxx",
"user_metadata": {
"check_email_verification": true
},
"username": "alhayxxx",
"blocked": false,
"last_password_reset": "2025-05-06T15:10:25.832Z",
}
If would expect, if I am understanding the documentation correctly, that when the user belongs to only a single org then that should be resolved at authentication time and I do not need to pass the organization name or id with the auth request.
However when I do not explicitly send the organization id/name as part of the auth request then the login attempt is made against a connection to which the user has no relationship (but is enabled for the same client app).
So I am not sure if my understanding is fundamentally wrong or if some other config is breaking this. Or is this due to the fact that we use a connection per org rather than a single connection and at the point of authentication then without the organization param it cannot be determined which database to look in for the credentials? I am guessing this is my issue. If we were using email identifiers rather than user name then we could use HRD to determine the correct connection (assuming a single connection per org).
Log Extract
{
"date": "2025-05-07T09:12:18.920Z",
"type": "fu",
"description": "Wrong email or password.",
"connection": "Blue-Region",
"connection_id": "con_HfD7xxx",
"client_id": "ntW3xxx",
"client_name": "xxx",
"ip": "xxx",
"user_agent": "Chrome 136.0.0 / Linux 0.0.0",
"details": {
"error": {
"message": "Wrong email or password."
}
},
"user_id": "",
"user_name": "alhayxxx",
"strategy": "auth0",
"strategy_type": "database",
"$event_schema": {
"version": "1.0.0"
},
"log_id": "90020250507091219005460000000000000001223372051404369952",
"tenant_name": "dev-f2r5xxx",
"_id": "90020250507091219005460000000000000001223372051404369952",
"isMobile": false
},