Hello, there!
I have the same issue as @christina
I have added three Auth0 Actions, all on the Login / Post Login trigger
1st - automatically adds users to organizations’ members based on connection.id (I have separate connections for different organizations, so it works fine for me)
const user_connection_id = event.connection.id
if(user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
var params = { id : event.secrets.1ST_ORG_ID};
var data = { members: [ event.user.user_id ] }
management.organizations.addMembers(params, data);
} else if(user_connection_id == event.secrets.2ND_ORG_CONNECTION_ID){
var params = { id : event.secrets.2ND_ORG_ID};
var data = { members: [ event.user.user_id ] }
management.organizations.addMembers(params, data);
}
2nd - assigns an organization role based on connection.id and user’s email
const user_domain = event.user.email.split('@')[1];
const user_connection_id = event.connection.id;
if(user_domain == 'company.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
var data = {roles: [event.secrets.ADMIN_ROLE_ID]};
management.organizations.addMemberRoles(params, data);
} else if(user_domain == 'icloud.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
var data = {roles: [event.secrets.READER_ROLE_ID]};
management.organizations.addMemberRoles(params, data);
} else if(user_domain == 'gmail.com' && user_connection_id == event.secrets.1ST_ORG_CONNECTION_ID){
var params = {id : event.secrets.1ST_ORG_ID, user_id: event.user.user_id};
var data = {roles: [event.secrets.WRITER_ROLE_ID]};
management.organizations.addMemberRoles(params, data);
}
3rd one should add custom claims to ID and access token to provide user an ability to access resources on first signup session without logout/login, however it is not working
const org_id = await management.users.getUserOrganizations({id: event.user.user_id});
const roles = await management.organizations.getMemberRoles({id : org_id[0].id, user_id: event.user.user_id});
const permissions = await management.roles.getPermissions({id: roles[0].id});
const namespace = "http://organization.com"
const userTokenKeyRoles = `${namespace}/roles`;
const userTokenKeyPerms = `${namespace}/permissions`;
if(event.authorization) {
api.idToken.setCustomClaim(userTokenKeyRoles, roles);
api.accessToken.setCustomClaim(userTokenKeyRoles, roles);
api.idToken.setCustomClaim(userTokenKeyPerms, permissions);
api.accessToken.setCustomClaim(userTokenKeyPerms, permissions);
};
I guess the problem is that the user do not have an org_id parameter on first signup because I have signup as a regular user/not organization member and add user to otganization and assign org role after signup
Unfortunately, I did not find any ability to trigger an action after signup but before 1st login
The logout/login again solves the problem, but it’s not good from user experience perspective
The workaround could be assigning the same roles and permissions to regular (not organization) user on signup, and I guess it will works, but for now it looks like dirty trick, but not best-practice solution, because I need to assign roles to org members, but not to users
I have researched in a direction of Force Reauthentication, but I can’t find ‘prompt’ or ‘max_age’ authorizationParams in Next.js Auth0 SDK than I need to use with my Next.js
Maybe someone have any suggestion how to solve this issue in a right way?