Team accounts with auth0

Are there any recommended solutions out there to implement multiple users logging in /signing up as part of the same team? ex: I create an account, invite my friends Joe and Tim and now we all have access to the same subscription and data.

We are currently using Auth0 Lock in a react.js single page app with email/password, facebook, and google logins. I have one idea with attaching a team_id attribute in app_metadata which can then be accessed via the access token which is sent to all requests to the backend which serves the data. Unsure about the little details of this, but hoping to see if we can avoid re-inventing the wheel.

There’s no specific built-in feature that addresses the notion of a team. You can use Auth0 to replace custom user authentication and also implement some aspects of user authorization. User authentication is something that can be easily decoupled of the business requirements, it’s just proving the users are who they say they are. However, user authorization is in most cases coupled with the business requirements.

At this time, you can already model user authorization using Auth0 features that focus on the most common approaches for authorization, for example, the Authorization extension focus on groups and roles. In addition, by leveraging the available extensibility points like rules you can implement more specific authorization needs. In particular, the one you mention would be using rules to provide a custom claim in the issued access token. Also have in mind that the approach you describe is fine, but you’re in a much better position to say if it’s the most suitable. Personally, if it’s just a single team identifier then the authorization extension may be overkill.

Hi @jmangelo thank you for the response. I have done some more architecting and there is one particular part I am struggling on and hoping you can help shed some light on it. When a user invites someone to his group/team, an email is sent out with an invitation link which goes to the same sign up page (with Auth0 WebAuth lock) but contains a specific invite code in the link that lets us know that this user is signing up to be in an existing group. When a user signs up with the lock ui, its sent to the redirect url with the access and id tokens but how can I also pass back the invite code in the original link so the user can get added to the group?

Right now, I do have a rule that adds the group id in user’s app_metadata to the access token ,but it causes issues because that rule gets called on the very first sign up when the group id property does not exist in the user’s app metadata yet.