I just read the “Building B2B SaaS Products” post from @shreya.gupta and have a question / issue that has been bugging my team and me for over a year now:
I want to test my Organization-enabled (exclusive for organizations, no org_id → no access) API. This is impossible since:
" * Organizations-enabled applications are not compatible with the following grants and protocols: Resource Owner Password, Client Credentials, Device Authorization Flow, WS-Fed (Auth0 as IdP)." - Understand How Auth0 Organizations Work
I could solve the permission/role tests with M2M tokens, but M2M tokens do not have an org_id, which means access to the API is prohibited.
Thinking out loud here - Have you considered just adding the org_id as a custom claim to the m2m token in an action? You won’t be able to use org_id as it’s restricted, but you could use something like test_org_id. This would require your API checking for the custom claim as opposed to org_id:
Thanks, but that would also mean special logic in my app to handle this case for testing, which is not ideal. I’d prefer to have a proper solution from auth0 for this.
No worries, happy to help where I can Unfortunately, as M2M tokens don’t support an organization I can’t see that being an option for strictly testing, but feel free to create a Feedback request.
The only other option I can really think of for testing given the org_id requirement is creating a test user(s) of organizations - Auth0 unfortunately doesn’t offer any sort of user impersonation so this may be your best bet. The auth0-cli provides a test token command which could be useful in generating an access token for test users.
Unfortunately, as M2M tokens don’t support an organization I can’t see that being an option for strictly testing, but feel free to create a