K
Kinde4mo ago
Pramus

Separate login per organization

I'm working on a multi-tenant application. I would like to allow the users to register per organization but I found a small issue. Scenario: 1. User tries to log into App A (represented in Kinde by Organization 1) - gets info that they don't have an account and are prompted to create one 2. Users registers in App A - user registered 3. User tries to log into App B (represented by Organization 2) - instead of the behavior like in step 1 so being prompted to register, the user gets info that they don't have permissions for Organization 2 The expected UX should be that the organizations are independent. The user who has an account in Organization 1, when attempting to login to Organization 2, should be prompted that they are not registered. Unfortunately trying to log into another organization while already being registered to one, shows that the user is already registered but doesn't have permissions - this exposes information that the user is already registered elsewhere but from the users perspective there's no elsewhere - each tenant instance should be independent. This not only looks disruptive but might be considered an issue in terms of user privacy. Interestingly, going directly to registration allows the user to register anew and the outcome is that the user is simply added to the organization. The problem lies within the login feature.
No description
18 Replies
palooka8300
palooka83004mo ago
Out of curiosity where are you seeing this behaviour? Is it on the sign up screen? Because the login flow does not show any organisations for my users if they’re not already members. For my multitenant user registration i use a custom page in my app and use the api to add the user to the organization, after which it shows up in their list when they try log in.
Pramus
Pramus4mo ago
I'm using <LoginLink /> and <RegisterLink /> components in NextJS provided by Kinde. Indeed the issue probably might be solved using custom UI but I believe there's room for improvement for Kinde auth pages as well. I swap the "orgCode" property depending on the instance and that's how I noticed that behavior.
palooka8300
palooka83004mo ago
Ah interesting. That makes sense. Mine is a b2b app so I don’t use their sign up process at all. I’m sure the kinde team will respond but most of them are already into Friday night in Australia
Pramus
Pramus4mo ago
Right. I'll bump it on Monday then. Good call, thanks!
Claire_Kinde
Claire_Kinde4mo ago
Hi Pramus, Palooka is right, you'll have to wait for Monday for an engineer's response. But just wanted to point you to a few docs in case they help: https://kinde.com/docs/build/allow-user-signup-org/ https://kinde.com/docs/user-management/manage-users-across-organizations https://kinde.com/docs/build/multi-tenancy-using-organizations/ https://kinde.com/docs/authentication-and-access/navigate-between-organizations
Kinde Docs
Manage user sign up to organizations - Build on Kinde - Help center
Our developer tools provide everything you need to get started with Kinde.
Kinde Docs
Manage users across organizations - User management - Help center
Our developer tools provide everything you need to get started with Kinde.
Kinde Docs
Multi-tenancy using organizations - Build on Kinde - Help center
Our developer tools provide everything you need to get started with Kinde.
Kinde Docs
Build a switch to navigate between organizations - Authentication a...
Our developer tools provide everything you need to get started with Kinde.
Pramus
Pramus3mo ago
I'm afraid that the docs you provided don't cover that scenario but thank you anyway 🙂 @Claire_Kinde I'm afraid that this thread went down the list. Do you know anyone who could answer this question?
Claire_Kinde
Claire_Kinde3mo ago
Hey Pramus. Sorry about that. I'll bump your request and see if our brilliant UK dev can help. He'll be on soon. Hi again Pramus. I did bump your message. So sorry you haven't been answered yet. I have pinged three devs and marked with some urgency, so hoping someone comes back to you ASAP.
Oli - Kinde
Oli - Kinde3mo ago
Hey @Pramus, Sorry that you have been experiencing this issue. I will speak to my team on this issue first thing tomorrow morning. Apologies for the inconvience. Hi @Pramus, I would love to know more about the ideal experience you want to build for your customers. It sounds like you don't want to share the user pool with each organization and you want each user pool associated with each organization to be completely separate, is this right? If so, are you able to explain more about the product you are building and what each organization represents?
Pramus
Pramus3mo ago
Like I mentioned - I'm building a multi-tenant application. The experience I want to achieve is described in the post. Each instance should be completely independent. Therefore I'd like to allow uses to have 'separate' accounts per tenant. There are two solutions though: 1. Consequently separate user pools - organizations don't allow that since the users are in one pool anyway. I'm not sure if it's achievable with Kinde. 2. A compromise - use one pool but assign users to the tenant organization on registration. It'd be ok for me (as I have my own users table per tenant db and can hold additional data there) if not for the problem described in the post.
Oli - Kinde
Oli - Kinde3mo ago
Hi @Pramus, Our multi-tenancy solution is focused on different tenants that have the same user pool. So unfortunately #1 is not achievable. I would suggest going ahead with your #2 proposed solution.
Pramus
Pramus3mo ago
Ok but the problem described in my post persists...
Oli - Kinde
Oli - Kinde3mo ago
Understood. I have noted down your request/use-case to have completely separate user pools per tent and passed it to my team.
Pramus
Pramus3mo ago
That would be great but I'm not sure we are on the same page - what I mean is that even with the common user pool there is an issue The issue I described in my original post and the followup comment The user that registered to one tenant (organization), shouldn't be getting a message on another tenant (organization) that they don't have access but rather be asked to register. Please refer to the Scenario I described in my original post
Oli - Kinde
Oli - Kinde3mo ago
Hey @Pramus, Kinde is built in a way where users can only access organizations they have access to. The reason for the experience above is that we explicitly treat authentication (identity you are who you say you are) and authorization as 2 separate logical components that are separate but related. In the login flow in Kinde, we always first authenticate the identity of the user, and then check their authorization. I will get back to you tomorrow, once I speak to my team, on how to achieve your desired scenario above. Apologies for not understanding your message your original scenario cannot be achieved.
Pramus
Pramus3mo ago
Thank you @Oli - Kinde . As a small hint - I believe the behaviour I'd expect is already achievable like @palooka8300 mentioned but only via custom interface using the API. Therefore the change in the out-of-the-box flow (by what I mean your React components and Kinde authentication flow) shouldn't be a big thing. What I can think of could be some kind of an opt-in flag inside organizations to prompt the users existing in the common pool to register anew in the new org instead of alerting them that they don't have permissions. That should give the end users the experience of multi-tenancy.
Oli - Kinde
Oli - Kinde3mo ago
Sorry @Pramus, Still discussing this with my team. I will come back to you with another update tomorrow. Hi @Pramus, After looking at your scenario and expected outcome again, the only reasonable workaround I can see is using a custom page (like @palooka8300 said). You could implement logic on your custom page that would check if the user is a member of the organization or not. You can check this via the Kinde Management API - If the user is not part of the organization, you can show a message saying this and not direct them to the verify password or code page - If the user is part of the organization, you can direct them to the next verify password or code page Please let me know if you have any further questions.
Pramus
Pramus3mo ago
That would require creating an entire custom login flow, it's not an ideal solution but it is what it is As I see it, Kinde without the custom login flow is not ready for multi-tenancy
Oli - Kinde
Oli - Kinde3mo ago
Thanks again for your feedback @Pramus. I have passed this onto my team.
Want results from more Discord servers?
Add your server
More Posts
Kinde Management apiDid I misunderstood something here ? I'm trying to create a user with the role "user", but Kinde doProtect Next.js route handlers with machine-to-machine application?Hi, I want to expose the route handlers defined in Next.js 14 application for external applicationsLogout button doesn't renderedI have implemented user auth using kinde successfully and my ecommerce website is able to login andChaining Middlewares Next.JS Kinde + next-internationalHi, as the title says I'm struggling to figure out how to use two different Next.js middlewares togeHas anyone used kinde_flutter_sdk to build android app?I am having issues building android APK with kinde_flutter_sdk for auth. I install the SDK and withoUnable to login to our dashboard in KindeHello, I'm getting this error when I sign in to my account 404 Domain not found The requested domaiBilling feature launch dateWhen will the billing feature be available to integrate and use. At least give the tentative dateWhat would be the most secure way to create invitation link for users to join an organizations ?I'm using resend to send the invitation link (Nextjs app router SDK). The link should be created witDoes the expo/RN SDK work with react native web?Hi, I am starting a new project and wanted to know if the Expo SDK supports React Native Web?How to prefill "First name" and "Last name" like we can do email with "login_hint"We have a custom authentication page. So email/first name/last name are already curated. We are able