I have 3 applications (test,dev,prod) with 3 separate connections (password stores), and I am using organizations.
My test,dev&prod web applications are configured with the corresponding client_id/secret and endpoints.
I have added users and organizations and added the users to the organizations.
I have enabled connections on organizations and have multiple connections (typically dev & test) enabled for an organization.
The problem -
For one user that I have added to the test environment, I am getting a login failure (incorrect password). The problem I am seeing, is the request log in Auth0 is showing the connection & connection_id of the dev environment/application. The client_id and name is correctly showing as the test application.
… from the Auth0 monitoring log …
“description”: “user auth0|637d08da911bxxxxxxxx is not part of the org_esgTy2cROxxxxxxx organization”,
“client_name”: “Final (Test)”,
Although I have added the user to the organization (although auto-membership on authentication is disabled), it is still saying the following (monitoring log) -
“description”: “user auth0|637d08da911bcxxxxxx is not part of the org_esgTy2cxxxxx organization”
I have double checked my application configs etc. I am able to log in with other IDs across my dev/test & prod environments/application … however, I think I am missing this gremlin.
I saw some other posts talking about “realms” etc. an area I haven’t yet studied … am I on the right path for diagnosis ? Any pointers/clues would be appreciated … trying to figure out exactly what is the behavior when using applications/connections/users/organizations across my dev/test/prod environments to ensure I don’t accidentally grant the wrong access to the wrong person …
Some additional info. I deleted the user and re-added the user in the dev app (connection). Am surprised that the user can now log in to dev, test & prod !!!
What is the right use of tenants/applications/connections/organizations ?
I have 1 application, 3 environments (dev/test/prod), many organizations (B2B customers), users that can be part of multiple organizations, users that can log into multiple environments (eg. developers can log into dev/test but may be restricted from prod), also, users that may be allowed into the organization for dev/test but not prod.
So, should I really be using 3 auth0 tenants (one for each environment) ? Or is my use (creating 3 applications) to segregate dev / test / prod users appropriate ?
Also, this does look like the limitation around “connection selection” option in the universal login, as, I am suspecting, auth0 is picking the first connection for an organization (in my case, the dev connection) … or am I missing a trick shot here ? Any help will be greatly appreciated.
In general Auth0 does recommend setting up multiple environments for dev, test, prod, etc.
I’m not sure I fully understand your questions here - Once a user has been prompted with an Organization login (either by entering the Org in UL, OR has been directed to the login otherwise) If you can elaborate a bit on it I’d be happy to help!
Thanks for the reply. I am going ahead and setting up 3 tenants. This of course has the downside of having to manage 3 tenants as well as having to create 3 users for each person etc. etc.
There are a couple of problems/mysteries I am seeing in a single tenant setup that if fixed, would have allowed for a single tenant setup supporting multiple environments in my use case.
The ability to select a connection from the universal login screen (i.e. after specifying the organization) - this would handle the case where an application is configured with multiple connections enabled on it.
The mystery behavior where in the scenario (within a single tenant) -
app1 → connection1 → user1
app2 → connection2 → user2
org1 → user1
org2 → user2
When I try to login to org2 using user2, it is looking for userid/password in connection1 and hence failing. I think this is because of the tenant level default connection setting. Whilst I ensured this is blank, I think auth0 is still picking the first available connection for the tenant (i.e. connection1) vs. the first available one configured for the application (client_id/client_secret).
BTW> Am using elixir/phoenix with ueberauth i.e. api/callback.