I’m building a multi-tenant WPF application.
I have different tenants defined in Auth0 (organizations) let’s call them Tenant_1 and Tenant_2 and each one of these organizations have at least one admin user named “Admin” (automatically created by my service).
I’ve enabled logging with username to allow users in the WPF application enter Admin + password with proper organization login page (added the organization_id hint to the request).
I’m using the Auth0 SDK to communicate with Auth0.
The issue I’ve encountered:
When I am in Tenant_2, and I’m trying to login with Admin user, I get an error with incorrect password although the password is correct for sure (again I send the tenant_2 organizaiton Id with the request), if I enter the password of the Tenant_1 Admin user I successfully login (I get access token with organization_id of Tenant_1) but it fails at future point because I do some verification on my service endpoints.
So the issue seems that when using Username + Password with multitenant. There’s a missing check for the organization_id of the user being checked against so it fetches the first user with the Admin username with no further check of org_id.
I was wondering if anyone encountered the same issue and they have resolved it ?
The current only way to resolve this on my end is to permit only login with email instead of username. But my clients are already used to Username and I’d like to stay backward compatible with the migration to Auth0.