When a user authenticates I need their organization id to be included in the jwt token. Does anyone know how to activate that?
I have tried adding the metadata at the organization level and that does not automatically add it to the user’s jwt.
Adding metadata for every user would not be practical.
Does anyone else have an idea or know how to get the organization id into the user’s jwt after auth?
Hi @cgifford,
Welcome to the Community!
When you make the /authorize request in your app, you can pass the organization query string parameter to include the org_id claim in the ID Token:
loginWithRedirect({organization: 'org_abc123'})
Here is additional info about working with tokens and organizations:
1 Like
Hi @cgifford - if an end-user is authenticating in the context of an organization, the org_id will be present in both the user’s Access and ID tokens.
1 Like
Thanks.
I’ll try that approach.
I was hoping that the user could log in without specifying which organization he/she is a part of and since I have put the users in their respective organizations their organization would be returned.
Perhaps, the issue is that a user could be part of multiple orgs?
Not seeing that in the response token but I also may not be seeing it because I don’t have an enterprise subscription. I have a call with sales to figure that out tomorrow.
4 Likes
This new feature is exactly what I’ve been looking for.
I basically want to put users in groups but all under one domain.
Unfortunately, with only a dev license subscription that may be my problem.
I think it would be even more amazing if it could return the org_id simply from the user logging in without even specifying.
But, I could see if the user was a member of multiple orgs that is not as simple as it would be an array instead of a string, perhaps?
2 Likes
Hi @cgifford - glad to hear that.
Re: dev license, thanks for that feedback.
A user must log-in in the context of an organization in order for org claims to be present in their ID and Access Token. A given user could be a member of a large number of organizations, depending on the use-case that you are supporting. Can you describe what you’re looking to do with organizations, or what use-case you are looking to support?
Thanks,
Adam
2 Likes
On my project I inject custom info about user stored in user_metada, or app_metadata in the JWT using rule like this:
function (user, context, callback) {
//const userAppsRoles = (context.authorization || {}).roles;
//const connectionID = (context || {}).connectionID;
// app_metadata
const userAppMetadata = user.app_metadata = user.app_metadata || {};
const userCustomerId = userAppMetadata.cid = userAppMetadata.cid || null;
// user_metadada
const userUserMetadata = user.user_metadata = user.user_metadata || {};
const userLanguage = userUserMetadata.language = userUserMetadata.language || null;
let idTokenClaims = context.idToken || {};
let accessTokenClaims = context.accessToken || {};
idTokenClaims[configuration.NAMESPACE + 'cid'] = userCustomerId;
accessTokenClaims[configuration.NAMESPACE + 'cid'] = userCustomerId;
idTokenClaims[configuration.NAMESPACE + 'language'] = userLanguage;
accessTokenClaims[configuration.NAMESPACE + 'language'] = userLanguage;
context.idToken = idTokenClaims;
context.accessToken = accessTokenClaims;
callback(null, user, context);
}
Hi Adam,
I am doing a POC with auth0 for a mutlitenant SAAS application and may have a similar usecase.
I am planning to create organizations for each of our tenants and add members to them via invitaions. We will not have members that will be shared across organizations.
I want to have a single login page for all tenants and want auth0 to identify the organization for me and send the org_id claim in the id token and access token.
Is this feasible out of box? If not, can I achieve this with any customizations?
Thanks,
Mustafa
3 Likes
Hello @adam.housman !
After a while reading post, I ended up in the same place than @mustafa.sadikot
I understand it could be tricky to return an array of org_ids (although I’m in the same case than mustafa, end users will belong to one organization only) but I’d like to avoid by all means to show the login in which users have to write the name of their organization.
Is there any other way we can get the org_id(s) of a user without adding the extra step with the organization name at login?
What could be an alternative to retrieve the org_id the user belongs to, without the org prompt at login?
Thanks!
1 Like
@jose-ink , @mustafa.sadikot - we’ll be shipping some login flow improvements that will allow you to achieve this behavior out-of-the-box. Our current target is fourth quarter of this year.
Currently, the only way that I am aware of to achieve what you are describing is to fetch the user’s organization memberships from List User Organization Memberships Auth0 Management API via a confidential client, and send the org_id to Auth0 in a Silent Authentication request.
Noting that the Management API is subject to rate limits.
1 Like
Hi @adam.housman . Org enhancements for multi-tenant applications is what we are looking for too (our Auth0 procurement is in process). Can you please give some information about how the flow would look?
FYI, our ideal flow is to have ‘identity first’ as the sign-on experience for both Auth0 database and external IDP connections. If the user can authenticate and belongs to only one org, our application receives the Org_ID in the claims. If the user belongs to multiple orgs (rare, but possible to belong to a few), the user would be shown a list of Organisations that they belong to and can select one which is then passed in the claims.
I realise that we could do this within our own UI as we can get a list of the user’s Organisations from the management API, but if Auth0 is going to provide a workflow to handle this in 2022, we can deliver something else in our product!
Thanks!
Stuart
2 Likes