Context
When implementing lazy migration with organizations, a common scenario arises where legacy users need to be assigned to specific organizations during the login process. Currently, there is no straightforward way to achieve this in the custom database login script.
As noted in the documentation for returning the user profile, the user profile returned by the login script contains essential information such as user_id, email, and other attributes. However, it lacks the ability to specify organization memberships.
Problem
For applications relying on Auth0 Organizations, users must belong to an organization to authenticate via an organization’s login page successfully. During lazy migration, legacy users often do not belong to any organization in Auth0. Without a mechanism to dynamically assign users to organizations during login, the following issues occur:
- Failed Login: Users cannot authenticate because they are not members of the requested organization.
- Complex Workarounds: Current workarounds (e.g., using Actions or the Management API) are not viable, as the organization membership check happens before Actions or Rules are executed.
Proposed Solution
Allow the custom database login script to include an optional property, such as org_ids, in the user profile returned to Auth0. For example:
callback(null, {
user_id: "auth0|1234567890",
email: "example@example.com",
email_verified: true,
app_metadata: { customAttribute: "value" },
org_ids: ["org_12345", "org_67890"] // New property for organization assignment
});
When org_ids are specified:
- Auth0 should automatically assign the user to the listed organizations during login.
- The user should proceed through the login flow as a valid member of the specified organizations.
Benefits
- Simplified Lazy Migration: Enables seamless migration of legacy users to Auth0 Organizations without complex workarounds or external systems.
- Improved Developer Experience: Reduces frustration by providing a native mechanism to handle organization assignments.
- Enhanced Flexibility: Supports dynamic scenarios where organization membership must be determined at runtime.
Use Case
A SaaS platform is migrating users from a legacy authentication system to Auth0. Each legacy user belongs to one or more teams (equivalent to Auth0 organizations), and each team has its dedicated login page. The company aims to use lazy migration to ensure a seamless process for end users, allowing legacy users to log in without interruption or additional steps.
However, without the ability to dynamically assign users to organizations during migration, legacy users cannot authenticate into their respective organizations. The only alternative would be a bulk migration, disrupting the user experience by requiring all users to reset their passwords.
Closing Thoughts
This feature would address a critical gap for teams using lazy migration with Auth0 Organizations, streamline integration processes, and reduce developer frustration. We hope you’ll consider this request, and we’re happy to provide more details or feedback as needed.
