You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When authentication is done via OIDC (The is the most common case), the developer wants to know which Organization the Member has signed in.
495
+
496
+
Organization has a developer-provided unique slug across the Project.
497
+
We include Organization slug in the ID token instead of the generated ID of the Organization.
498
+
499
+
This is an example of ID token:
500
+
```json
501
+
{
502
+
"iss": "https://auth.myapp.com",
503
+
"aud": ["mobileapp"],
504
+
"sub": "johndoe",
505
+
"scope": "openid offline_access",
506
+
"org_slug": "myorg"
507
+
}
508
+
```
509
+
510
+
This ID token implies:
511
+
512
+
- The User `johndoe` is a Member of `myorg`.
513
+
- The User `johndoe` signed in `myorg`.
514
+
515
+
> [!NOTE]
516
+
> This proposal is different from what Fung proposed in Linear.
517
+
518
+
### Use case 8.2: `member_orgs` in UserInfo
519
+
520
+
> [!NOTE]
521
+
> Auth0 does not support this out-of-the-box.
522
+
> The developer is expected to make use of the Management API to find out what Organizations the User is Member of.
523
+
524
+
We first need to answer this question:
525
+
526
+
> Is it appropriate to disclose what Organization the User is Member of,
527
+
> given that the User may be a Member of an Organization that has a more strict password policy, MFA requirement, or Federated Login.
528
+
529
+
Actually this question also applies to `prompt_end_user_for_organization_last` in Use case 7.1.
530
+
If we agree that it is appropriate to have Use case 7.1, then the answer to this question is "Yes, it is appropriate to disclose such information, as long as the User is identified and authenticated".
531
+
532
+
Another potential problem is that the User could be a Member of many Organizations.
533
+
534
+
> [!IMPORTANT]
535
+
> Should we limit the maximum number of Organizations a User can be a member of? Is 100 a reasonable hard limit?
536
+
537
+
This use case could be essential for implementing Organization Switcher.
538
+
539
+
In the Organization Switcher we commonly see in online services,
540
+
the following information are shown
541
+
542
+
- A display name of the Organization. This is different from the Organization Slug.
543
+
- An icon of the Organization, if the Organization has one.
544
+
- The Organization Slug, either as a standalone string, or be interpolated as a URL.
545
+
546
+
So the developer wants information like
547
+
548
+
```json
549
+
[
550
+
{
551
+
"org_display_name": "Oursky",
552
+
"org_slug": "oursky",
553
+
"org_icon_url": "https://oursky.com/favicon.png"
554
+
},
555
+
{
556
+
"org_display_name": "FormX",
557
+
"org_slug": "formx",
558
+
"org_icon_url": "https://formx.ai/favicon.png"
559
+
}
560
+
]
561
+
```
562
+
563
+
Given that this information is not bound to session (unlike `org_slug` in tokens), maybe we should include this information in UserInfo instead.
564
+
Not including this information in tokens can ensure the size of the tokens is small, and does not grow proportional to the number of Members.
565
+
Access Token is usually included in HTTP header, and HTTP headers commonly has a practical size limit of 4000 bytes to 8000 bytes.
566
+
567
+
The final proposal is to include `member_orgs` in UserInfo.
568
+
569
+
Here is an example:
570
+
571
+
```json
572
+
{
573
+
"sub": "johndoe",
574
+
"member_orgs": [
575
+
{
576
+
"org_display_name": "Oursky",
577
+
"org_slug": "oursky",
578
+
"org_icon_url": "https://oursky.com/favicon.png"
579
+
},
580
+
{
581
+
"org_display_name": "FormX",
582
+
"org_slug": "formx",
583
+
"org_icon_url": "https://formx.ai/favicon.png"
584
+
}
585
+
],
586
+
"email": "louischan@oursky.com"
587
+
}
588
+
```
589
+
590
+
### Use case 8.3: Authentication Output in Cookies
0 commit comments