I have users who are in one organization and when logging on through universal login with identity first or identity first + biometrics, the claim has no org_id
Hi @ben30
The org_id will not be present inside the access token claims. You will need to set them using custom claims via a PostLogin Action as such:
exports.onExecutePostLogin = async (event, api) => {
const orgID = event.organization.id;
api.idToken.setCustomClaim("organization_id", orgID);
}
};
If you have any other questions, feel free to let me know!
Kind Regards,
Nik
Thanks Nik! To clarify – I made that addition but it’s not showing up. If a user goes through universal login they should have the organization set right?
Ben
Basically – the event.organization is empty – I’m seeing elsewhere that user needs to “pick an organization” for this flow to work, but these users are just in one organization so I don’t think that applies?
Hi again @ben30
Sorry, I made a mistake in the last post. The org_id claim will be visible if the user authenticates through an organization by passing in the org_id as a parameter in the /authorize call OR by being prompted to log in with an organization.
https://{{AUTH0_DOMAIN}}/authorize?response_type=code&client_id={{client_id)&organization={{org_id}}&redirect_uri={{redirect_uri}}
Otherwise, you will need to retrieve the org_id via the Management API.
As mentioned above, unless the user authenticated through the organization, the org_id will not be present in the claim or be a part of the event inside the PostLogin Action.
Hope this helps!
If you need further assistance, feel free to let me know!
Kind Regards,
Nik
I’m a bit confused here – if there’s only one organization then what is the problem here? This feels like a pretty huge feature gap that we can’t use the auth0 built login portal with the auth0 built organization flow
this link (Work with Tokens and Organizations) seems to suggest that if the user goes through the main login flow the org id is returned? Although it’s unclear to me how to get the org switcher to show up.
Hi,
Just to clarify, if you have an organization created on your Auth0 Dashboard with a connection enabled for it, if the user who logs into your application is part of the organization and your application’s Organizations settings are set on Business Users or Both, and organization ID will be passed into the ID and Access Token automatically without needing to use an action.
Have you checked if the organization allows users connecting through a specific connection to allow auto-membership? If no org_id is returned that means the user that logged in is not part of an organization or they did not authenticate through the organization page.
I have run a sample application and authenticated with an user within an organization and the profile does contain the org_id as seen below:
I have also logged in with an user which was not part of the organization and they also have the org_id present since the connection policy was set to Auto-Membership.
Please double check if Organizations are configured for your application and if the organization itself has the connection that you are using allowed.
If you have any other questions, let me know!
Kind Regards,
Nik
Hi Nik,
- I do have Both set for the application organization settings
- I have an organization with several different connections incl username password
- I have created a new user with U/P signin (no auto membership)
- I added the user to the organization
- Logged in with the user
6 – no organization parameter in event in action logs
Is there anything I’m missing?
Ben
Hi again.
I have tried reproducing the steps above and my user would still contain the org_id whenever logging in with an organization.
Whenever I had the application set to Both, when logging in, it would prompt the user to log in using personal account or log in with organization.
Only when logging in with a personal account the ID token would not contain an org_id.
Have you attempted to use a sample application to see if the user profile on the app contains the org id?
Also, how do you log the org id? If you log it using console.log(event.organization.id);
it should return the id of the org that the user is a part of.
Could you share some screenshots of the steps and results you receive on your end?
Kind Regards.
Nik
Hi Nick,
I set this
to prompt for organization, and then if the user sets their organization it works, but I want a user not to have to select – if they’re in one organization I’d like it to automatically use said organization, is this possible?
Ben
Hi
This can be achieved by using the Business Users setting for the Application. However, if the user is not part of an organization when they log in, the log in will be denied.
Otherwise, if :
- An user is created via Management API for example
- Has an organization created for them
- User is added to organization
- User attempts to log in
They should not have issues with a flow like this. However, if you attempt to:
- Have an user sign up
- An organization is created for them
- User is added to the organization
- Continues with the login process
In this scenario, you would need to create the organization and create the user via a Pre/PostUserRegistration action or via a Form which would do the steps provided above prior to them completing the sign-up/login.
If you want to continue with the Both option, in that case, the users will always be prompted to choose between a personal account or to continue with an organization when they log in via the Universal Login page.
If I can help with anything else, let me know.
Kind Regards,
Nik
Is there any plan on the roadmap to remedy this? Or can I make a user organization only? (remove their personal status). What would be the recommendation here for best practices? It seems like the options are as follows:
- Use an action in postlogin to hit the management api to get the organization
- Create an organization for non-b2b users and add users to it automatically on sign up (if possible)
Any other method to do this? Any recommendation on the above?
Hi again @ben30
Unfortunately, this would be expected behaviour whenever using organizations.
If for your use case the organization would be created post user registration and they would be invited after that, unless they log in again through the organization, the org_id will not be present.
In that case, both the options you have presented above would be suitable. Otherwise, you can also try to log out the user from the application after the registration is complete and perform an silent authentication and passing in the org_id inside the /authorize call, however, you would need to make a call using the Management API in order to return the ord_id.
If you have any other questions, let me know!
Kind Regards,
Nik
I hope I’m not belaboring the point, but the organization does exist before user login, and potentially user creation – does that help?
I see.
In short terms, unless the user is part of an organization when they log in/prior to the log in, the org_id will not be present.
If the user is not part of the organization when logging in and the application is set to use Both of Business Users for the organization, the ID Token will not contain the org_id. The user needs to be part of the organization prior to submitting credentials. Even if they will be added to the organization after login, the tokens issued will not contain it.
Otherwise, if the user is part of the organization prior to logging in, the tokens will contain the org-id.
Kind Regards,
Nik
Sorry do you mean log in or sign up? I’ve logged out and logged in and the org id is still not present. In the signup case do you mean that the user needs to be created specifically in auth0 with an org id present before they log in for the first time?
If the user is part of an organization and they:
- Log in using Both organization setting → user selects their organization → the id token will contain the org_id (if the user continues with personal account, the id token will not contain the org_id)
- Log in using Business Users → the id token will contain the org_id
On sign-up, even if the organization is present, even if they are added to the organization during the process, they will be logged in without an org_id. They would need to log out → log in again (using one of the methods specified above)-> the id token will contain the org_id.
Do you mean that an user part of the organization does not contain the org_id inside the token?
Kind Regards,
Nik
Understood – my main concern is figuring out a way to avoid a user selecting their organization, is there any way to do that without either setting it manually in an action or switching to business users organization setting?
Unfortunately, the user will be asked for an organization when using the Both setting instead of Business Users.
One way to bypass this would be to redirect the user to the /authorize endpoint and passing in the organization id as a parameter inside the URL, however, you would need to know or retrieve the organization of the user before redirecting them to it.
Let me know if you have any other questions!
Kind Regards,
Nik