matt34
January 4, 2025, 3:44am
1
Hi everyone,
I’m migrating an application from an internally created auth system to Auth0 and would appreciate some guidance.
Current Setup:
We have a root domain (e.g., example.com) and subdomains for each workspace (e.g., workspace1.example.com).
Root Domain Login:
Verifies user email.
Generates a JWT used to retrieve all workspaces the user belongs to.
A session is created on the root domain for email verification purposes only.
Workspace Login:
Each workspace supports different login methods (e.g., Microsoft, Google, password, Enterprise SSO).
Users must belong to an organization to access its workspace.
Workspace sessions are unique to the user/workspace/subdomain and provide access to authenticated content.
Current Signup Flow:
Users verify their email on example.com.
On the backend, we create a workspace, subdomain, and session for the subdomain.
Users are redirected to the workspace, authenticated via the session created during the signup process.
This works because the backend generates the initial workspace-specific session during the “create workspace” API call.
My Question:
What I’ve Considered:
Global Application:
Configured as “Individuals” in the organization settings.
Used only for email verification.
Workspace Application:
Configured as “Business Users” in the organization settings.
Handles login for specific workspaces.
The Problem:
JWTs created in the “Global” application aren’t compatible with the “Workspace” application.
JWTs don’t contain organization information, making it challenging to establish a seamless flow.
I’ve attached a flowchart to illustrate the setup and flow.
Any suggestions or best practices for structuring this in Auth0? Thanks in advance!
matt34
January 4, 2025, 3:49am
2
I can’t seem to link an image, sorry
matt34:
Hi everyone,
I’m migrating an application from an internally created auth system to Auth0 and would appreciate some guidance.
Current Setup:
We have a root domain (e.g., example.com) and subdomains for each workspace (e.g., workspace1.example.com).
Root Domain Login:
Verifies user email.
Generates a JWT used to retrieve all workspaces the user belongs to.
A session is created on the root domain for email verification purposes only.
Workspace Login:
Each workspace supports different login methods (e.g., Microsoft, Google, password, Enterprise SSO).
Users must belong to an organization to access its workspace.
Workspace sessions are unique to the user/workspace/subdomain and provide access to authenticated content.
Current Signup Flow:
Users verify their email on example.com.
On the backend, we create a workspace, subdomain, and session for the subdomain.
Users are redirected to the workspace, authenticated via the session created during the signup process.
This works because the backend generates the initial workspace-specific session during the “create workspace” API call.
My Question:
What I’ve Considered:
Global Application:
Configured as “Individuals” in the organization settings.
Used only for email verification.
Workspace Application:
Configured as “Business Users” in the organization settings.
Handles login for specific workspaces.
The Problem:
JWTs created in the “Global” application aren’t compatible with the “Workspace” application.
JWTs don’t contain organization information, making it challenging to establish a seamless flow.
I’ve attached a flowchart to illustrate the setup and flow.
Any suggestions or best practices for structuring this in Auth0? Thanks in advance!
Hello @matt34 ,
Global Application : Use this for initial email verification only.Workspaces Applications : Configure individual applications for each workspace to handle different login methods and sessions.
To address JWT compatibility and organization data, you may need to implement Auth0 Actions or Rules to include organization information in the tokens.
I recommend checking Auth0’s docs on user migration and community discussions for additional insights.
Best Regards,