How to Assign an Auht0 User to an Organization Using a Post-Login Action
This article provides a step-by-step guide on how to automatically assign a user to a specific Organization immediately after they log in by using a Post-Login Action and the Auth0 Management API.
- Actions
- Organizations
- Auth0 Management API
- Login Flow
For certain workflows, it is necessary to programmatically add users to an Organization based on logic executed during the login process. A Post-Login Action provides the ideal trigger for implementing this custom logic without altering the core application code.
Before creating the Action, ensure the following are in place:
- An Organization has been created in the Auth0 Dashboard. The Organization ID will be required. To find it, navigate to Organizations, select the desired organization, and copy the ID from the top of the page. In this case best practice would be to save the Organization ID as an action secret as opposed to hardcoding it in the script.
- The Connection from which the user authenticates (for example, a database connection, social provider) must be enabled for the target Organization. This can be configured in the Connections tab of the Organization's settings.
- A Machine-to-Machine (M2M) application is set up to interact with the Management API. This M2M application must be granted the following permissions:
-
create:organization_membersread:organizationsread:organization_connections
-
Create the Post-Login Action
- Navigate to Actions > Library in the Auth0 Dashboard.
- Click Build from Scratch.
- Provide a name for the Action, such as "Assign User to Organization".
- Set the Trigger to Login / Post Login.
- Select the desired Runtime.
- Click Create.
In the Action editor:
- Select the Dependencies icon (cube) on the left sidebar.
- Click Add Dependency.
- For Name, enter
auth0. - For Version, enter
latestor a specific version (for example, 4.2.0). - Click Create.
- Select the Secrets icon (key) on the left sidebar.
- Click Add Secret and add the following key-value pairs, using the values from the M2M application and Organization:
-
TENANT_DOMAIN: The Auth0 domain (for example,Name-tenant.us.auth0.com).CLIENT_ID: The Client ID of the M2M application.CLIENT_SECRET: The Client Secret of the M2M application.ORGANIZATION_ID: The ID of the Organization to which users will be assigned.
Copy the following JavaScript code and paste it into the onExecutePostLogin function in the Action editor. This code initializes the Management API client using the secrets and then adds the currently logged-in user to the specified Organization.
exports.onExecutePostLogin = async (event, api) => {
const ManagementClient = require("auth0").ManagementClient;
const client = new ManagementClient({
domain: event.secrets.TENANT_DOMAIN,
clientId: event.secrets.CLIENT_ID,
clientSecret: event.secrets.CLIENT_SECRET,
});
try {
const connectionId = event.connection.id;
// Define organizationId by pulling it from the Action secrets
const organizationId = event.secrets.ORGANIZATION_ID;
// This acts as a validation step. It will throw an error and jump to the catch block if the connection is not enabled for the org.
await client.organizations.enabledConnections.get(organizationId, connectionId);
// Add the user to the organization
await client.organizations.members.create(organizationId, {
members: [event.user.user_id]
});
console.log("user added to org");
} catch (error) {
console.log("user not added to org: ", error.message);
}
};
Once the code is complete, follow the Next Steps:
- Deploy the Action
- Click Save Draft.
- Click Deploy to activate the Action.
- Add the Action to the Login Flow.
- Navigate to Actions > Triggers and select the post-login trigger.
- Drag the newly created Action from the Custom tab on the right into the flow between the Start and Complete steps.
- Click Apply.
- The setup is now complete. The next time a user logs in through this flow, the Action will execute and assign them to the specified Organization.
