My application uses React in the frontend. In the Auth0 side, I have a custom social connection named custom-oauth2 and 3 organizations: A, B, and C.
The desired objective is that upon the first login, based on the email domain, the user is provisioned into the corresponding organization. For example,
When a user signs up for the first time, you can use a Post-Login Action that checks the user’s email domain (e.g., @bcompany.io ) and automatically adds them to the correct organization. This ensures a seamless onboarding experience for your business users, placing them in the right context from their very first login without any manual steps.
You could use this sample code snippet as a reference on how this could be implemented:
const { ManagementClient } = require('auth0');
exports.onExecutePostLogin = async (event, api) => {
// 1. Run only on the user's first login.
if (event.stats.logins_count !== 1) {
return;
}
// 2. Define the mapping from email domain to organization ID directly.
const orgMapping = {
"a.com": "org_xxxxA", // Replace with Organization A's ID
"bcompany.io": "org_xxxxB", // Replace with Organization B's ID
"ccorp.com": "org_xxxxC" // Replace with Organization C's ID
};
// 3. Get the user's email domain.
const domain = event.user.email.split('@')[1];
const orgId = orgMapping[domain];
// If the domain doesn't match any organization, stop.
if (!orgId) {
console.log(`No organization mapping found for domain: ${domain}`);
return;
}
// 4. Use the Management API to add the user to the organization.
const managementApi = new ManagementClient({
domain: event.secrets.DOMAIN,
clientId: event.secrets.CLIENT_ID,
clientSecret: event.secrets.CLIENT_SECRET,
});
try {
await managementApi.organizations.addMembers(orgId, {
members: [event.user.user_id]
});
console.log(`Successfully assigned user ${event.user.user_id} to organization ${orgId}`);
} catch (err) {
console.error(`Error assigning user to organization: ${err}`);
}
};
I hope this helps and if you have further questions please let me know!
Best regards,
Remus
Thanks for the solution. The organization assignment works perfectly.
However, after the Post-Login Action runs and the user logs in to the application, they don’t have the organization context in the token. In other words, the application doesn’t know which organization they authenticate with.
How can I log the user in with the correct organization context after the organization assignment?
I am glad that this is working for you. You can achieve this by silently re-authenticating the user in your React app.
When your Post-Login Action successfully assigns a user to an organization, you should also add a final “flag” by setting a Custom Claim within the IdToken. This claim acts as a temporary signal, containing the ID of the organization the user was just assigned to. You can check out - Set ID Token Claims Using Actions, so in the try ... catch block you can add a line such as:
The next step would be to create a dedicated route within your React application specifically to handle the post-login redirect, for example, a route at /callback . This route will render a component whose sole purpose is to inspect the results of the authentication before allowing the user to proceed into your main application ( check if the new flag was set ). You should configure this new URL (e.g., https://your-app.com/callback ) as the Allowed Callback URL in your Auth0 Application’s settings. This configuration forces Auth0 to send the user to this specific interception point in your app immediately after they authenticate.
Within this component, you can use the useAuth0() hook to get access to the user’s state. Then by using the useEffect hook, check to see if the custom claim is present in the token and if the flag is found, the component’s job is to trigger an immediate and silent re-authentication. You will do this by calling the loginWithRedirect function from the useAuth0 hook. Crucially, you must pass the organization ID from the custom claim to this function, for example: loginWithRedirect({ authorizationParams: { organization: newOrgId } }); .
Because the user has an active SSO session from the initial login, they will not be asked for their credentials again. They are instantly redirected back to your application, and this time, the new ID Token they receive will correctly contain the organization context (org_id ), completing the flow.
i hope this helps, and if you have further questions please let me know!
Kind regards,
Remus