frederikprijck
commented
2 years ago Hello,
Auth0 Server expects an organization id to be send alongside the requests triggered from this SDK (as well as all other SDKs), see: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce
Accepting an organization_name would not allow us to call the API in the context of an organization, as we have no knowledge of its ID.
I believe both Option 1 and Option 2 are expected situations and not work-arounds given the way organizations work with Auth0 today.
If you believe this could be improved from an Auth0 server point of view (so this goes far beyond this SDK), at Auth0 we always appreciate feedback so feel free to go to https://auth0.com/feedback and submit the feedback regarding organizations so that it reaches the correct team.
khitrenovich
Describe the problem you'd like to have solved
We are building a multitenant system, where authentication is based on Auth0 and every tenant is an Auth0 organization. The frontend is implemented in React and is using
auth0-reactfor authentication needs. Our Auth0 client/application is configured to display organization prompt by default. During the login flow our end users have to provide their tenant name (that is, type it in the organization prompt).We want to improve login experience for customers that connect 3rd party IDPs (for example, their own Okta) to our Auth0 by providing them a bookmark URL that can be used in their Okta SSO portal. Ideally, this URL should sign-in authenticated end users in our app without additional prompts.
This looks feasible. However, at this moment there is no way to send organization name in
Auth0Providerproperties.Describe the ideal solution
Ideally, we would like to see
Auth0Providerbeing enhanced to acceptorganization_nameattribute, which will allow us to skip organization prompt in a way similar to whatorganizationattribute does today.Alternatives and current work-arounds
Option 1 We can send organization ID to make the flow work. This means that we will have to expose internal ID of the Auth0 organization, which corresponds to the customer tenant. This solution is prone to the future internal changes, system migrations etc, and will force us to maintain those IDs pretty much forever.
Option 2 We can expose an unauthenticated API that will provide name-to-ID mapping and will be used on the SPA side to convert tenant/org name to organization ID. This API will have to utilize Auth0 management API internally - which in turn is subject to Auth0 rate limits. This means that we will have to implement own rate limiting, DoS protection etc.
Additional context
Both alternatives introduce unnecessary complications to our systems. This feature would make our life much easier!