Incorrect connection used in api?

Hi, am pulling my hair out on this issue -

  • I have 3 applications (test,dev,prod) with 3 separate connections (password stores), and I am using organizations.
  • My test,dev&prod web applications are configured with the corresponding client_id/secret and endpoints.
  • I have added users and organizations and added the users to the organizations.
  • I have enabled connections on organizations and have multiple connections (typically dev & test) enabled for an organization.

The problem -

  1. For one user that I have added to the test environment, I am getting a login failure (incorrect password). The problem I am seeing, is the request log in Auth0 is showing the connection & connection_id of the dev environment/application. The client_id and name is correctly showing as the test application.
    … from the Auth0 monitoring log …
    “description”: “user auth0|637d08da911bxxxxxxxx is not part of the org_esgTy2cROxxxxxxx organization”,
    “connection”: “meta-dev”,
    “connection_id”: “con_iXkOCb8xxxxxxx”,
    “client_id”: “ltGgdmzMLVdc3CmKjnkyxxxxxxx”,
    “client_name”: “Final (Test)”,
  2. Although I have added the user to the organization (although auto-membership on authentication is disabled), it is still saying the following (monitoring log) -
    “description”: “user auth0|637d08da911bcxxxxxx is not part of the org_esgTy2cxxxxx organization”

I have double checked my application configs etc. I am able to log in with other IDs across my dev/test & prod environments/application … however, I think I am missing this gremlin.

I saw some other posts talking about “realms” etc. an area I haven’t yet studied … am I on the right path for diagnosis ? Any pointers/clues would be appreciated … trying to figure out exactly what is the behavior when using applications/connections/users/organizations across my dev/test/prod environments to ensure I don’t accidentally grant the wrong access to the wrong person …

Kind regards,
Milan

Some additional info. I deleted the user and re-added the user in the dev app (connection). Am surprised that the user can now log in to dev, test & prod !!!

What is the right use of tenants/applications/connections/organizations ?

I have 1 application, 3 environments (dev/test/prod), many organizations (B2B customers), users that can be part of multiple organizations, users that can log into multiple environments (eg. developers can log into dev/test but may be restricted from prod), also, users that may be allowed into the organization for dev/test but not prod.

So, should I really be using 3 auth0 tenants (one for each environment) ? Or is my use (creating 3 applications) to segregate dev / test / prod users appropriate ?

Also, this does look like the limitation around “connection selection” option in the universal login, as, I am suspecting, auth0 is picking the first connection for an organization (in my case, the dev connection) … or am I missing a trick shot here ? Any help will be greatly appreciated.

Thanks in advance …

Hi there @milangupta1 welcome to the community!

In general Auth0 does recommend setting up multiple environments for dev, test, prod, etc.

I’m not sure I fully understand your questions here - Once a user has been prompted with an Organization login (either by entering the Org in UL, OR has been directed to the login otherwise) If you can elaborate a bit on it I’d be happy to help!

Thanks for the reply. I am going ahead and setting up 3 tenants. This of course has the downside of having to manage 3 tenants as well as having to create 3 users for each person etc. etc.

There are a couple of problems/mysteries I am seeing in a single tenant setup that if fixed, would have allowed for a single tenant setup supporting multiple environments in my use case.
Specifically:

  • The ability to select a connection from the universal login screen (i.e. after specifying the organization) - this would handle the case where an application is configured with multiple connections enabled on it.
  • The mystery behavior where in the scenario (within a single tenant) -
    app1 → connection1 → user1
    app2 → connection2 → user2
    org1 → user1
    org2 → user2
    When I try to login to org2 using user2, it is looking for userid/password in connection1 and hence failing. I think this is because of the tenant level default connection setting. Whilst I ensured this is blank, I think auth0 is still picking the first available connection for the tenant (i.e. connection1) vs. the first available one configured for the application (client_id/client_secret).

BTW> Am using elixir/phoenix with ueberauth i.e. api/callback.

Hope this explains it more clearly.

Kind regards / Thanks for your help.
-M

BTW> This is also the reason why user1 was able to log into app2 (I think this is a security hole ?).