Domain rule for organizations feature

I would like to create a rule to allow users to login from a specific domain, instead of invite each member from that domain. It seems that the rules (like “Domain Whitelist”) are running AFTER the organization member list has been checked - so I can’t do anything else in the rule to allow specific domains through.

Hi @nir1,

Welcome to the Auth0 Community!

First, I have tested the Email Domain Whitelist rule and was able to log in when using a whitelisted domain and denied access otherwise.

With that said, I can confirm that this Rule will accomplish your desired behavior.

function emailDomainWhitelist(user, context, callback) {
  // Access should only be granted to verified users.
  if (!user.email || !user.email_verified) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  const whitelist = ['example.com', 'example.org']; //authorized domains
  const userHasAccess = whitelist.some(function (domain) {
    const emailSplit = user.email.split('@');
    return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
  });

  if (!userHasAccess) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  return callback(null, user, context);
}

Note that the Rules execute post-authentication, which always triggers at the end of the auth pipeline.

Please don’t hesitate to reach out if you have any further questions.

Thanks.

How is your example different than the template offered in the web app called “Domain Whitelist” which doesn’t work.

Again - I’m asking specifically for the new “Organizations” feature, where I use a social connection, and I don’t enable automatic membership, and I don’t want to specify or invite indvidual members, but I would like a rule stating that even though you are not a member of the organization, allow for whitelist domains.

Like you said, the rules run at the end of the pipeline but login fails before since my user does pass the social authentication but fails membership check in the organization, so the rule isn’t called at all

Hi @nir1,

Thank you for your response and for taking the time to clarify the whole scenario.

In this case, what you have observed is to be expected. Since you have disabled automatic membership but are forcing users to log in through an organization, they will encounter an unauthorized error for not being a part of the organization.

I don’t think it makes much sense for the user to login into an organization that they are never allowed to join.

With that said, could you please clarify if you intend to allow the end-users to log in to your app without an organization?

If this is the case, you will need to exclude the organization parameter in the /authorize request. This will enable your end-users to log in to your app using a social connection while not being a part of any organization.

Please let me know if you require further clarification or have any questions.

Thank you.

I’ll explain the use case. I want to have organizations with specific members in each connecting with their social account, but I want our internal support engineers to access ALL organizations. Instead of having them enrolled as members to each organization, I would like a rule to cover current and future organizations.

This seems impossible with auto membership disabled.

Is there a way to access the list of members from within a rule so I can write my own whitelist logic for a domain OR membership (and allow auto membership I presume)

I was planning to add a rule and replace their pipeline entirely (enable auto membership ), haven’t tested it yet end to end. theres a chance that this approach doesn’t work

var ManagementClient = require('auth0@2.37.0').ManagementClient;

  var management = new ManagementClient({
    token: configuration.members_access_token,
    domain: auth0.domain
  });

  management.organizations.getMembers({id: context.organization.id}, function (err, members) {
        console.log(err);
    console.log(members);
    callback(null, user, context);
  });

Hi @nir1,

Thank you for your responses and clarification.

Yes! Using the ManagementClient as you have done so should allow you to get the list of members within a Rule. It should work the same as the Management API v2 Get Members endpoint behind the scenes.

I noticed in your Rule that you are calling the context.organization.id of the user logging in.
If the user does not belong to any organizations, the flow will trigger an error, as you observed earlier, where the Rule does not run before checking the user against an organization.

Because of this, I am not sure if this approach will work.

I understand you want to assign whitelisted-domain users access to all organizations dynamically instead of the cumbersome task of manually adding them to the organization.

However, with the way organizations members are checked for their membership before rules, I am not sure if there is a workaround. You may have to consider writing a script to assign all organization membership access to those whitelisted-domain users.

Please let me know if you have any questions.

Thank you.

Thanks for your support @rueben.tiow so far, I agree that this approach probably won’t work. I think the best alternative is to have an additional organization completely for the internal employees group, and have them login to that organization, and have the access control in the application backend itself to allow members from that special organization to all other tenants. I have no further questions in this regard, again - thanks.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.