feature request: Organization based login enforcement #6639
Comments
|
@Singh-Harry great write up! |
|
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What problem did you meet?
At this moment there is no option to specify an organization when a login request is sent to Logto to enforce a basic authorization check at Logto.
We have a single tenant inside Logto and multiple organizations (our clients) under that tenant. Each of these organization have their own set of users. Each organization will have a (WordPress) website which will use Logto hosted page for signing the users in. We will have a single application that will be connected to all these websites.
Since all the users (from all different organizations) live under a single tenant, at this moment a user from
Organization Bwill be able to pass the authentication check (at Logto) forWebsite A. We definitely have the additional authorization check at the website which will check the user organizations and then validate if the user is allowed to access the website or not. But it would be nice if they can be denied access right at the Logto screen based on the organization specific in the login request.Few examples from other providers:
org_codeparameter that can be used to enforce the organization check when a user tries to login.https://docs.kinde.com/developer-tools/about/using-kinde-without-an-sdk/#org_code
https://docs.kinde.com/build/organizations/orgs-for-developers/#signing-users-into-an-existing-organization
Essentially their OpenID login URL can be used in this way
https://[your_kinde_domain].kinde.com/oauth2/auth?org_code=org_idurn:zitadel:iam:org:id:{id})https://zitadel.com/docs/apis/openidoauth/scopes
organizationparameter, e.g.{YOUR_DOMAIN}.com/oauth?organization={ACCOUNT_NAME}https://docs.frontegg.com/docs/custom-login-box
Describe what you'd like Logto to have
It will be nice to have the ability to perform this basic authorization check right at the Logto login screen. I understand this approach can easily be tempered with due to the organization parameter being present in the URL. So, we already have the main authorization check implemented at the website based on the JWT claims returned back by Logto.
In addition to that, if there is a possibility of specifying more than one organization in the login request that would be great. As, it will allow us to specify a global organization (our team members) and a client specific organization (let's say
ORG_A) for this login enforcement. That way users from our team as well as client's own users are allowed to access the website (WEBSITE Ain this case) and it will deny access to any other users. e.g.https://<TENANT_ID>.logto.app/oidc/auth?organizations=org_global,org_aThe text was updated successfully, but these errors were encountered: