Cannot login to Organization

I have multiple organizations, each of which has a single connection (with strategy=auth0 ) defined.

There is a single client app and the connections are all enabled for this app.

All users belong to a single org.

The documentation would suggest that in this scenario I do not need to pass the ?organization=org_id as part of the auth request. Authentication works when I do pass it however when I don’t pass it authentication fails and the logs indicate the wrong connection (sore some completely different org) was used.

Is there any reason this might happen or is the organization parameter required?

Hi @alan.hay

Welcome to the Auth0 Community!

Indeed, if the connection used by the user has auto membership enabled under the organization’s settings and if that connection is enabled on the application, it should allow users to log in without any issued and add them to the organization as well if they were not a part of it yet.

May I ask what kind of connection are you using (database/social/enterprise) and what is the organization settings for the application (individuals/business users/both)?

Kind Regards,
Nik

I am not sure if I am misunderstanding something fundamental here. My general approach is to have a connection per org. For now these are all database connections.

Client App is configured for business users only:

    "organization_usage": "require",
    "organization_require_behavior": "post_login_prompt",

So I have an org

 {
   "id": "org_8Gewxxx",
   "name": "00f18930-xxx",
   "display_name": "White Region",
   "metadata": {
     "password_expiry_days": "365"
   }
 },

with a single enabled connection.

[
  {
    "connection_id": "con_XMjcxxx",
    "assign_membership_on_login": true,
    "is_signup_enabled": false,
    "show_as_button": true,
    "connection": {
      "name": "connection-for-white-region",
      "strategy": "auth0"
    }
  }

connection details

  {
    "id": "con_XMjcxxx",
    "options": {
      "mfa": {
        "active": true,
        "return_enroll_settings": true
      },
      "attributes": {
        "email": {
          "signup": {
            "status": "required",
            "verification": {
              "active": true
            }
          },
          "identifier": {
            "active": false
          },
          "profile_required": true,
          "verification_method": "link"
        },
        "username": {
          "signup": {
            "status": "required"
          },
          "identifier": {
            "active": true
          },
          "validation": {
            "max_length": 15,
            "min_length": 1,
            "allowed_types": {
              "email": false,
              "phone_number": false
            }
          },
          "profile_required": true
        }
      },
      "passwordPolicy": "good",
      "passkey_options": {
        "challenge_ui": "both",
        "local_enrollment_enabled": true,
        "progressive_enrollment_enabled": true
      },
      "password_history": {
        "size": 6,
        "enable": true
      },
      "strategy_version": 2,
      "password_dictionary": {
        "enable": true
      },
      "authentication_methods": {
        "passkey": {
          "enabled": false
        },
        "password": {
          "enabled": true
        }
      },
      "brute_force_protection": true,
      "password_no_personal_info": {
        "enable": true
      },
      "password_complexity_options": {
        "min_length": 12
      }
    },
    "strategy": "auth0",
    "name": "connection-for-white-region",
    "is_domain_connection": false,
    "realms": [
      "connection-for-white-region"
    ],
    "enabled_clients": [
      "Xoscxxx", //management api
      "ntW3xxx" //SPA client
    ]
  }

And a user with a single identity

  {
    "created_at": "2025-05-06T15:03:56.799Z",
    "email": "alan.hay+20@xxx",
    "email_verified": true,
    "family_name": "Hay",
    "given_name": "Alan",
    "identities": [
      {
        "connection": "connection-for-white-region",
        "user_id": "0955bf29-xxx",
        "provider": "auth0",
        "isSocial": false
      }
    ],
    "name": "Alan Hay",
    "nickname": "Alan",

    "updated_at": "2025-05-06T15:10:25.846Z",
    "user_id": "auth0|0955bf29-xxx",
    "user_metadata": {
      "check_email_verification": true
    },
    "username": "alhayxxx",
    "blocked": false,
    "last_password_reset": "2025-05-06T15:10:25.832Z",
  }

If would expect, if I am understanding the documentation correctly, that when the user belongs to only a single org then that should be resolved at authentication time and I do not need to pass the organization name or id with the auth request.

However when I do not explicitly send the organization id/name as part of the auth request then the login attempt is made against a connection to which the user has no relationship (but is enabled for the same client app).

So I am not sure if my understanding is fundamentally wrong or if some other config is breaking this. Or is this due to the fact that we use a connection per org rather than a single connection and at the point of authentication then without the organization param it cannot be determined which database to look in for the credentials? I am guessing this is my issue. If we were using email identifiers rather than user name then we could use HRD to determine the correct connection (assuming a single connection per org).

Log Extract

 {
    "date": "2025-05-07T09:12:18.920Z",
    "type": "fu",
    "description": "Wrong email or password.",
    "connection": "Blue-Region",
    "connection_id": "con_HfD7xxx",
    "client_id": "ntW3xxx",
    "client_name": "xxx",
    "ip": "xxx",
    "user_agent": "Chrome 136.0.0 / Linux 0.0.0",
    "details": {
      "error": {
        "message": "Wrong email or password."
      }
    },
    "user_id": "",
    "user_name": "alhayxxx",
    "strategy": "auth0",
    "strategy_type": "database",
    "$event_schema": {
      "version": "1.0.0"
    },
    "log_id": "90020250507091219005460000000000000001223372051404369952",
    "tenant_name": "dev-f2r5xxx",
    "_id": "90020250507091219005460000000000000001223372051404369952",
    "isMobile": false
  },

Hi again!

I am sorry about the late reply!

Indeed, as mentioned in the documentation, if an user is part of a single organization and with the settings you have mentioned above, they should be able to authenticate without any issues using the specific connection they are a part and the organization.

Could you provide me through a DM the tenant name on which you are experiencing this issue?

Also, is the user by any chance part of both connections or has multiple identities with multiple connection? I believe the user might be forced to authenticate using the primary identity available in the dashboard.

Kind Regards,
Nik