Add research result on Clerk

louischan-oursky · louischan-oursky · commit 44e35af73b8a · 2025-06-09T13:00:33.000+08:00
diff --git a/docs/specs/organization/00-index.md b/docs/specs/organization/00-index.md
@@ -10,5 +10,6 @@ Read the following documents for detailed study on each competitor
 - [FushionAuth](./04-fushionauth.md)
 - [SuperTokens](./05-supertokens.md)
 - [Zitadel](./06-zitadel.md)
+- [Clerk](./07-clerk.md)
 
 The design draft is at [./10-draft.md](./10-draft.md).
diff --git a/docs/specs/organization/01-comparison.md b/docs/specs/organization/01-comparison.md
@@ -6,16 +6,16 @@
 > [!IMPORTANT]
 > SuperTokens is not included in this table because it does not natively support organization at all.
 
-| Item                                  | Auth0                                   | Stytch                                                                       | Zitadel                                          |
-| ---                                   | ---                                     | ---                                                                          | ---                                              |
-| Organization is optional              | Yes                                     | Authentication Type is determined at project creation. Unmodifiable.         | No                                               |
-| Support building GitHub-style service | Yes                                     | Have to emulate with 2 projects                                              | Yes                                              |
-| Different password policies           | Yes                                     | Either Cross-organization or Organization-scoped. Once chosen, no going back | Yes                                              |
-| Different MFA policies                | Use post-login action to customize      | Yes                                                                          | Yes                                              |
-| IAM                                   | Yes                                     | Yes                                                                          | Yes                                              |
-| Invitation                            | Yes. Can return to specific application | Only supported at API level. Can return to specific URL to your backend      | Yes when V2 API is enabled. Cannot return to URL |
-| Email discovery                       | Yes                                     | Yes                                                                          | No                                               |
-| Organization switcher                 | No. Session bound to single org         | Provide API for self-implementation                                          | No                                               |
+| Item                                  | Auth0                                   | Stytch                                                                       | Zitadel                                          | Clerk |
+| ---                                   | ---                                     | ---                                                                          | ---                                              | ---   |
+| Organization is optional              | Yes                                     | Authentication Type is determined at project creation. Unmodifiable.         | No                                               | Yes   |
+| Support building GitHub-style service | Yes                                     | Have to emulate with 2 projects                                              | Yes                                              | Yes   |
+| Different password policies           | Yes                                     | Either Cross-organization or Organization-scoped. Once chosen, no going back | Yes                                              | No    |
+| Different MFA policies                | Use post-login action to customize      | Yes                                                                          | Yes                                              | No    |
+| IAM                                   | Yes                                     | Yes                                                                          | Yes                                              | No    |
+| Invitation                            | Yes. Can return to specific application | Only supported at API level. Can return to specific URL to your backend      | Yes when V2 API is enabled. Cannot return to URL | Yes   |
+| Email discovery                       | Yes                                     | Yes                                                                          | No                                               | No    |
+| Organization switcher                 | No. Session bound to single org         | Provide API for self-implementation                                          | No                                               | Yes      |
 
 ## Implications
 
@@ -24,29 +24,39 @@
 In all competitors, a sign-in session is bound to a single organization only.
 In Stytch, organization switching is done with token exchange.
 
+In Clerk, the end-user can just switch organization without signing-in again.
+
 ### GitHub-style service
 
 IMO, Auth0 is the most easiest to work with.
 It does not enforce that an organization must exist, and does not enforce that users must belong to one and only one organization.
 It just models GitHub-Style service naturally.
 
+Clerk also models this easily.
+
 ### Different password policies and different MFA policies
 
 In Auth0, password policies to tied to the connection, while MFA is a project-wide setting.
 In competitors where organization is mandatory and user belonging to a single organization, all these authentication settings are tied to the organization.
 
 IMO, authentication settings should be organization-overridable.
 
+Notably, Clerk does not support this.
+
 ### IAM
 
 In all competitors, the IAM use case is trivial to implement.
 We should consider that in our design.
 
+Notably, Clerk does not support this.
+
 ### Invitation
 
 It seems that invitation is not very well implemented among competitors.
 Auth0 does the best in this area.
 
+Clerk supports this quite well, given that it is not OIDC-based, and it literally just allows you to specify `redirect_uri`.
+
 ### Email discovery
 
 Again Auth0 does the best here.
@@ -57,8 +67,9 @@ At the end you have to try out the example app to test it out yourselves.
 
 ### Organization switcher
 
-No competitors support this out-of-the-box.
-
 In particular, Auth0 does not report to the client application that how organization the user belong to.
 
 In other competitors where a user belongs to one and only one organization, you have to do it yourselves.
+
+Only Clerk supports this out-of-box, but given its lack of support of different password policies and different MFA policies,
+it is not very useful.
diff --git a/docs/specs/organization/07-clerk.md b/docs/specs/organization/07-clerk.md
@@ -0,0 +1,63 @@
+# A brief research on how Organization works in Clerk
+
+This document is valid as of 2025-06-09.
+
+## Concepts
+
+Clerk does not build on top of OIDC, so it does not have things like OIDC client applications.
+
+### Application
+
+- An application has its own domain.
+
+### Organization
+
+- Organization is off by default.
+- Once it is turned on, every user is allowed to create organization by default.
+- Organization does not have specific settings, e.g. password policy.
+
+### User
+
+- A user can belong to no organization.
+- A user can belong to multiple organization.
+
+## How to do usecase X
+
+### Usecase 1: Different password policies
+
+Not possible. It is because organization does not have specific settings.
+At least I did not see it in the dashboard.
+Checking the API documentation does not reveal something similar.
+See https://clerk.com/docs/references/backend/organization/update-organization
+
+### Usecase 2: IAM
+
+Not possible. It is because email address has to be globally unique.
+It is not possible to create an IAM user that shares the same address with a user in the global user pool.
+
+### Usecase 3: Different MFA policies
+
+Not possible. The reason is the same as that of different password policies.
+
+### Usecase 4: Invitation
+
+See https://clerk.com/docs/organizations/invitations
+
+The invitation must target an email address.
+The invitation can optionally take `redirect_uri` which allows to redirect the user.
+
+### Usecase 5: Email discovery
+
+The prebuilt <SignIn> component does not offer a way to select organization on sign in.
+The active organization is taken from the last active one.
+The last active one is the one selected by the end-user in the <OrganizationSwitcher> component.
+
+In this sense, it does not really support the typical email discovery.
+
+### Usecase 6: Organization Switcher
+
+It supports a prebuilt <OrganizationSwitcher> component in the NextJS SDK.
+
+However, due to the fact that it does not support organization specific settings,
+switching organization is just about switching the last active org ID.
+It does not do things like authenticate again if the specific organization requires MFA.
