[pre-auth] in universal login how to determine the connection the user should authenticate with?

our auth0 tenant is set up to have 1 connection for each of our clients. some are standard (database, email/pass) and others are enterprise.

currently we have an application for each client so that each one has its own login page. this is unmanageable and tedious. we would like to consolidate to only 2 - a mobile and web application (each with their respective configurations).

we would like to move towards universal login but have hit a snag. before the user has authenticated we need to know which connection to authenticate with and where to redirect them afterwards.

the only proposed mechanism we have come up with is one i dont feel comfortable with:

  • in the universal login we define a custom HTML template
  • using the auth0 lock lib we utilize the connectionResolver property
  • in the connectionResolver we would make a call to a publicly exposed endpoint of our API
  • this endpoint would serve as a proxy for the A0 management API
  • using the A0 management API we perform a lookup with the users email and send back their connection name
  • this connection name is then passed to the connectionResolver callback

there are several problems with this:

  1. we are publicly exposing a proxy of the a0 management API. granted the scope is limited (it cant be enumerated but it can be brute forced with client emails to determine what connection they belong to)
  2. to consolidate to 2 applications we need to control where the user is redirected to after authentication


  1. is there a better way to organize our tenant to manage many clients? our ISAs require that every client be isolated from the other
  2. how can we securely determine the connection the user should authenticate with?
  3. how can we securely determine where to redirect the user post-authentication