Closed khitrenovich closed 2 years ago
Hello,
Auth0 Server expects an organization id
to be send alongside the requests triggered from this SDK (as well as all other SDKs), see: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce
Accepting an organization_name
would not allow us to call the API in the context of an organization, as we have no knowledge of its ID.
I believe both Option 1 and Option 2 are expected situations and not work-arounds given the way organizations work with Auth0 today.
If you believe this could be improved from an Auth0 server point of view (so this goes far beyond this SDK), at Auth0 we always appreciate feedback so feel free to go to https://auth0.com/feedback and submit the feedback regarding organizations so that it reaches the correct team.
Hi @frederikprijck,
Thank you for the quick response! I've just posted the feedback here: https://community.auth0.com/t/ability-to-provide-organization-name-during-authorization-code-flow/72681
Thanks for moving it there. I am closing this issue for now, as we cant do much from an SDK perspective.
Describe the problem you'd like to have solved
We are building a multitenant system, where authentication is based on Auth0 and every tenant is an Auth0 organization. The frontend is implemented in React and is using
auth0-react
for authentication needs. Our Auth0 client/application is configured to display organization prompt by default. During the login flow our end users have to provide their tenant name (that is, type it in the organization prompt).We want to improve login experience for customers that connect 3rd party IDPs (for example, their own Okta) to our Auth0 by providing them a bookmark URL that can be used in their Okta SSO portal. Ideally, this URL should sign-in authenticated end users in our app without additional prompts.
This looks feasible. However, at this moment there is no way to send organization name in
Auth0Provider
properties.Describe the ideal solution
Ideally, we would like to see
Auth0Provider
being enhanced to acceptorganization_name
attribute, which will allow us to skip organization prompt in a way similar to whatorganization
attribute does today.Alternatives and current work-arounds
Option 1 We can send organization ID to make the flow work. This means that we will have to expose internal ID of the Auth0 organization, which corresponds to the customer tenant. This solution is prone to the future internal changes, system migrations etc, and will force us to maintain those IDs pretty much forever.
Option 2 We can expose an unauthenticated API that will provide name-to-ID mapping and will be used on the SPA side to convert tenant/org name to organization ID. This API will have to utilize Auth0 management API internally - which in turn is subject to Auth0 rate limits. This means that we will have to implement own rate limiting, DoS protection etc.
Additional context
Both alternatives introduce unnecessary complications to our systems. This feature would make our life much easier!