Organization Signup & New Tokens

christina · January 19, 2023, 9:00pm

Hi there,
I have run into an implementation issue in regards to users signing up to organizations.
Auth0 does not currently support a user becoming an org member on sign up. It’s either, the user get added, or invited.

To work around this, we are allowing users to sign up, and then soon after sign up we add them to the organization based on the subdomain they access our site through.

What I then would like is to have the token to reflect that they are a part of that organization.

Will the user have to log off and log back in to the organization specific login to achieve this?

I am currently working on getting a new access token after the user is updated, and then using that to update their id token.
One issue I am running into is that as soon as I call getAccessTokenSilently({ignoreCache: true), is that any subsequent auth0 request fails because ‘the user is logged out’. I assume the previous token is invalidated when the new one is created. Is that a correct assumption?

Ideally I would like to seamlessly replace the token that is given at login with a new token that has the updated user info on it.

Is that possible?

We also want this for when a user updates their info, so that the token will reflect the updated info.

Essentially, we want the same object that gets returned when a user signs in:

This has more than just the token included, and we need it to get updated so that when we call getIdTokenClaims(), it will return the updated info.

borsenkO_oleh · June 30, 2023, 8:37am

Hello, there!

I have the same issue as @christina

I have added three Auth0 Actions, all on the Login / Post Login trigger

1st - automatically adds users to organizations’ members based on connection.id (I have separate connections for different organizations, so it works fine for me)

const user_connection_id = event.connection.id

if(user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
  var params =  { id : event.secrets.1ST_ORG_ID};
  var data = { members: [ event.user.user_id ] }
  management.organizations.addMembers(params, data);
} else if(user_connection_id == event.secrets.2ND_ORG_CONNECTION_ID){
  var params =  { id : event.secrets.2ND_ORG_ID};
  var data = { members: [ event.user.user_id ] }
  management.organizations.addMembers(params, data);
}

2nd - assigns an organization role based on connection.id and user’s email

const user_domain = event.user.email.split('@')[1];

const user_connection_id = event.connection.id;

if(user_domain == 'company.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
  var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
  var data = {roles: [event.secrets.ADMIN_ROLE_ID]};
  management.organizations.addMemberRoles(params, data);
} else if(user_domain == 'icloud.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
  var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
  var data = {roles: [event.secrets.READER_ROLE_ID]};
  management.organizations.addMemberRoles(params, data);
} else if(user_domain == 'gmail.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
  var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
  var data = {roles: [event.secrets.WRITER_ROLE_ID]};
  management.organizations.addMemberRoles(params, data);
}

3rd one should add custom claims to ID and access token to provide user an ability to access resources on first signup session without logout/login, however it is not working

  const org_id = await management.users.getUserOrganizations({id: event.user.user_id});
  const roles = await management.organizations.getMemberRoles({id : org_id[0].id, user_id: event.user.user_id});
  const permissions = await management.roles.getPermissions({id: roles[0].id});

  const namespace = "http://organization.com"
  const userTokenKeyRoles = `${namespace}/roles`;
  const userTokenKeyPerms = `${namespace}/permissions`;

  if(event.authorization) {
  api.idToken.setCustomClaim(userTokenKeyRoles, roles);
  api.accessToken.setCustomClaim(userTokenKeyRoles, roles);
  api.idToken.setCustomClaim(userTokenKeyPerms, permissions);
  api.accessToken.setCustomClaim(userTokenKeyPerms, permissions);
  };

I guess the problem is that the user do not have an org_id parameter on first signup because I have signup as a regular user/not organization member and add user to otganization and assign org role after signup

Unfortunately, I did not find any ability to trigger an action after signup but before 1st login

The logout/login again solves the problem, but it’s not good from user experience perspective

The workaround could be assigning the same roles and permissions to regular (not organization) user on signup, and I guess it will works, but for now it looks like dirty trick, but not best-practice solution, because I need to assign roles to org members, but not to users

I have researched in a direction of Force Reauthentication, but I can’t find ‘prompt’ or ‘max_age’ authorizationParams in Next.js Auth0 SDK than I need to use with my Next.js

Maybe someone have any suggestion how to solve this issue in a right way?

system · February 9, 2024, 5:56pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.