We were trying to figure out how to fit our Organization and Team model into the current Auth0 APIs and offerings (B2C application).
Could you please help us out in figuring out what would be the best way of representing Teams under an Organization? (note: the organization feature provides all the functionalities we need it only lacks Group/Team support)
It would be possible to use Roles for this purpose since they can be assigned to users and users in an organizations as well, but according to the Entity Limit Policy, a tenant can only have up to 1000 roles. This is okay for the initial deployment and it will only need to be addressed later when we reach that many Orgs/Teams. (Usually, we have around 3-5 teams per organization, so it is possible to represent around 200-300 organizations in the system)
I’ve been thinking about that myself. I am evaluating auth0 instead of azureb2c for a b2b/b2c SaaS so kinda in the same boat. My “draft solution” for this to extend auth0 user metadata with a group tag and a value(org_id::group-name) that works with our management microservice. We can manage the concept of groups at that layer without using a persistence layer of our own. Assignment of groups is simply a lookup on users with the right tag and mass update of the rule.
I hope that helps.
@mczotter @devnull You’d probably both be interested in the upcoming Auth0 FGA product:
It’s designed to deal with a variety of Authz requirements and would be suitable for team assignments.
Thanks for sharing that @Hawxy !
Thanks for sharing all the info.
We tried the Auth0 FGA back in December when the community preview launched and one of the features we wanted to see is the Lookup API, which wasn’t available at that time (haven’t checked since then, so this might be in place already). Anyway, we went with our own model and we are transitioning now to a custom FGA implementation which does support organizations, teams etc, what we need is to store metadata next to these objects. Auth0 Organization feature provides this for us, but for Teams, we are unable to store a description text in the FGA and we need a solution for that. Roles might be it, but due to the limitation we won’t be able to use that for long and that’s why we need a long term plan as well.
For the initial version, I think we will drop the Team additional metadata requirement and will go with just simple name identifier until we find a better solution to this problem.