You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specs/organization/10-use-case.md
+52-3Lines changed: 52 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -228,9 +228,8 @@ Member (user_id=louischanyoursky, org_id=yoursky)
228
228
229
229
### Use case 4.1: Add a User as a Member of Organization via Admin API
230
230
231
-
This is the simplest case.
232
-
No invitation is involved.
233
-
The Organization domain settings **IS RESPECTED**.
231
+
This is trivial.
232
+
Things like Login ID email domain allowlist and blocklist **ARE NOT** considered.
234
233
235
234
### Use case 4.2: Direct invitation URL
236
235
@@ -370,3 +369,53 @@ Let me name a few here.
370
369
### Use case 5: Design Decision
371
370
372
371
We implement Use case 5.1 for MVP.
372
+
373
+
## Use case 6: How do we maintain the validity of the membership?
374
+
375
+
In Use case 4, we discussed the ways that a User can become Member of Organization.
376
+
377
+
In this use case, we discuss how do we maintain the validity of the membership.
378
+
379
+
When we read through Use case 4, we know that if a User has an allowed email address,
380
+
then the User is entitled to be a Member of an Organization.
381
+
382
+
In other words, as long as the User owns the email address, the User can be a Member.
383
+
384
+
It implies that updating the email address or removing the email address may not be desirable.
385
+
386
+
### Use case 6.1: Disallow Member to add, remove, or update Identities
387
+
388
+
> [!NOTE]
389
+
> In Stytch B2B Authentication, it is forbidden to add, remove, or update own email address.
390
+
391
+
When a User is a Member of an Organization,
392
+
the User is not allowed to add, remove, or update the following Identities:
393
+
394
+
- Email Login ID Identity
395
+
- Phone Login ID Identity
396
+
- Username Login ID Identity
397
+
- OAuth Identity
398
+
- LDAP Identity
399
+
400
+
The following Identities can still be added and removed:
401
+
402
+
- Biometric Identity
403
+
- Passkey Identity
404
+
405
+
#### Use case 6.1.1: Organization with Federated Login
406
+
407
+
Federated Login in this context means the end-user **MUST** sign in a particular Identity associated with the external Identity Provider.
408
+
409
+
- The end-user is not expected to add Identities. Federated Login means the end-user must sign in via the external Identity Provider. Adding Identities (and thus adding more login methods) are not useful at all.
410
+
- The end-user is not expected to update Identities. As long as the subject ID stays the same, Standard Attributes `email`, `phone_number` and `preferred_username` are updated automatically on login. The end-user need not update them manually.
411
+
- The end-user is not expected to delete Identities. In normal case, the User has only one Identity, which cannot be deleted anyway.
412
+
413
+
#### Use case 6.1.2: Organization with auto-membership
414
+
415
+
Since auto-membership works one way, allowing the user to update or remove Identities may contradict with the result of auto-membership.
416
+
417
+
Adding Identities generally does not contradict with auto-membership though.
0 commit comments