Organization Invitations with Roles

I’m trying to send invitations to an organization using the /api/v2/organizations/:id/invitations endpoint from these Auth0 Docs

The invitation is emailed and I can sign up but I’m seeing two issues:

  1. The role isn’t assigned to the user
  2. Their invitation in the specified organization stays on the pending status

I’m specifying the correct role id in roles: [<ROLE_ID>]

const response = await axios({
					method: 'POST',
					url: `https://<AUTH_0_DOMAIN>/api/v2/organizations/<ORG_ID>/invitations`,
					headers: {
						'Content-Type': 'application/json',
						Authorization: `Bearer ${process.env.MGMT_API_TOKEN}`,
						'Cache-Control': 'no-cache',
					},
					data: {
						inviter: { name: "John Smith" },
						invitee: { email: johnsmith@gmail.com },
						client_id: <AUTH0_CLIENT_ID>,
						connection_id: <CONNECTION_ID>, //Username-Password-Authentication
						ttl_sec: 604800,
						roles: [<ROLE_ID>],
						send_invitation_email: true,
					},
				});
1 Like

Hi @Zipena,

After receiving the invitation email, please click on the link and continue with signing up or logging in to complete the invitation process. Once this is done, the user’s invitation will move out of the pending status, and they will be assigned to their role.

Could you please give that a try and let me know how it goes?

Thanks,
Rueben

Hey @rueben.tiow thanks for the quick reply. I did go through the process of signing up and logging in and it’s still in the pending state with no roles. I verified that I’m passing the correct role.

I noticed that all of my invitations remain in pending. Even made sure to click the verify email that gets sent after I signed up. Also logged in on a different browser with that new user and still the same thing. Pending and no assigned role within the organization or at the user level.

None of the invitations have moved out of the pending state even though I’ve signed up and logged in with all of these users

Still can’t seem to figure out why this endpoint isn’t behaving as expected? Any ideas as to why the role wouldn’t be applied and the invitation would remain in the pending state?

Hi @Zipena,

Thanks for the follow up.

I suspect you might be logging in to your regular login page instead of the Organization login page, which is preventing you from completing the Organization invitation flow.

Could you please confirm if you are logging in to your Organization? In the email invitation, you should see a query parameter &organization={{org_id}} in the invitation URL.

When logging in to your Organization, it should look slightly different than your regular login page.

Thanks,
Rueben

It is the invitation from the organization. I supplied the org id in the query param https://<AUTH_0_DOMAIN>/api/v2/organizations/<ORG_ID>/invitations when I sent it.

This is the email I received. It has &organization={{org_id}}

Hi @Zipena,

Thanks for the reply.

When you open the invitation link in your browser, do you see the Organization log in page?

For example, if you have a organization logo configured, do you see that?

Or do you see something else?

Typically, the invitation login URL should look something like the following:
https://YOUR_DOMAIN.REGION.auth0.com/authorize?response_type=code&client_id={{client_id}}&redirect_uri={{redirect_uri}}&audience={{audience}}&scope={{scopes}}&state={{state}}invitation={{invitation_id}}&organization={{org_id}}&organization_name={{org_name}}

Thanks,
Rueben

Thanks for the consistent replies.

I don’t see that. This is what I see when I click the invitation url from my previous response:

It first attempts to go to my app, sees that the user isn’t logged in and then takes them to the login screen. The user can then select sign up and sign up

Step One - attempts to go to my app

Step Two - Login / Sign Up screen (I’ve customized in the Auth0 dashboard settings)

Hi @Zipena,

Thanks for the reply.

I have reviewed your screenshot and noticed that the invitation URL appears as “https://app…com/”, which does not match your tenant name.

It should look like “https://dev05kn…us.auth0.com/”.

I suggest getting a fresh invitation URL, and modifying it to use your canonical domain (https://dev05kn…auth0.us.com). Afterward, try accessing that URL in your browser.

This should bring you to a different screen that would look more like the following:

Thanks,
Rueben

There’s nothing in the API call that would make it be my app’s domain. Where would this be defined in the Auth0 dashboard? I’m assuming it’s getting overridden by something I set then

ok, I got it now. Had to change the Application Login URI in my Auth0 dashboard then create a /login route in my app. After I did this it assigned the role in my organization.

Then followed this documentation to configure login routes and invite org members

The documentation says to get the invitation id and organization id from the invite url when you land on the /login route then redirect to /authorization

It did make my go through a consent screen after sign up and then on first login. Seems like its a confusing user experience because they’re using my app but just being invited to this specific organization in my app

Is this consent screen necessary?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.