Kinde•2y ago

Separate login per organization

I'm working on a multi-tenant application. I would like to allow the users to register per organization but I found a small issue.

Scenario:

User tries to log into App A (represented in Kinde by Organization 1) - gets info that they don't have an account and are prompted to create one
Users registers in App A - user registered
User tries to log into App B (represented by Organization 2) - instead of the behavior like in step 1 so being prompted to register, the user gets info that they don't have permissions for Organization 2

The expected UX should be that the organizations are independent. The user who has an account in Organization 1, when attempting to login to Organization 2, should be prompted that they are not registered. Unfortunately trying to log into another organization while already being registered to one, shows that the user is already registered but doesn't have permissions - this exposes information that the user is already registered elsewhere but from the users perspective there's no elsewhere - each tenant instance should be independent. This not only looks disruptive but might be considered an issue in terms of user privacy.

Interestingly, going directly to registration allows the user to register anew and the outcome is that the user is simply added to the organization. The problem lies within the login feature.

palooka8300•4/26/24, 8:38 AM

Out of curiosity where are you seeing this behaviour? Is it on the sign up screen? Because the login flow does not show any organisations for my users if they’re not already members. For my multitenant user registration i use a custom page in my app and use the api to add the user to the organization, after which it shows up in their list when they try log in.

PramusOP•4/26/24, 8:41 AM

I'm using <LoginLink /> and <RegisterLink /> components in NextJS provided by Kinde. Indeed the issue probably might be solved using custom UI but I believe there's room for improvement for Kinde auth pages as well.

I swap the "orgCode" property depending on the instance and that's how I noticed that behavior.

palooka8300•4/26/24, 8:50 AM

Ah interesting. That makes sense. Mine is a b2b app so I don’t use their sign up process at all. I’m sure the kinde team will respond but most of them are already into Friday night in Australia

PramusOP•4/26/24, 8:59 AM

Right. I'll bump it on Monday then. Good call, thanks!

CB_Kinde•4/27/24, 12:12 AM

Hi Pramus, Palooka is right, you'll have to wait for Monday for an engineer's response. But just wanted to point you to a few docs in case they help:
https://kinde.com/docs/build/allow-user-signup-org/
https://kinde.com/docs/user-management/manage-users-across-organizations
https://kinde.com/docs/build/multi-tenancy-using-organizations/
https://kinde.com/docs/authentication-and-access/navigate-between-organizations

Kinde Docs

Manage user sign up to organizations - Build on Kinde - Help center

Our developer tools provide everything you need to get started with Kinde.

Kinde Docs

Manage users across organizations - User management - Help center

Our developer tools provide everything you need to get started with Kinde.

Kinde Docs

Multi-tenancy using organizations - Build on Kinde - Help center

Our developer tools provide everything you need to get started with Kinde.

Kinde Docs

Build a switch to navigate between organizations - Authentication a...

Our developer tools provide everything you need to get started with Kinde.

PramusOP•4/29/24, 7:15 AM

I'm afraid that the docs you provided don't cover that scenario but thank you anyway

PramusOP•4/30/24, 7:26 AM

@Claire_Kinde I'm afraid that this thread went down the list. Do you know anyone who could answer this question?

CB_Kinde•4/30/24, 7:43 AM

Hey Pramus. Sorry about that. I'll bump your request and see if our brilliant UK dev can help. He'll be on soon.

CB_Kinde•5/6/24, 7:54 AM

Hi again Pramus. I did bump your message. So sorry you haven't been answered yet. I have pinged three devs and marked with some urgency, so hoping someone comes back to you ASAP.

Oli - Kinde•5/6/24, 8:01 AM

Hey @Pramus,
Sorry that you have been experiencing this issue.
I will speak to my team on this issue first thing tomorrow morning.

Apologies for the inconvience.

Oli - Kinde•5/7/24, 7:23 AM

Hi @Pramus,
I would love to know more about the ideal experience you want to build for your customers.

It sounds like you don't want to share the user pool with each organization and you want each user pool associated with each organization to be completely separate, is this right?
If so, are you able to explain more about the product you are building and what each organization represents?

PramusOP•5/7/24, 7:49 AM

Like I mentioned - I'm building a multi-tenant application. The experience I want to achieve is described in the post. Each instance should be completely independent. Therefore I'd like to allow uses to have 'separate' accounts per tenant. There are two solutions though:

Consequently separate user pools - organizations don't allow that since the users are in one pool anyway. I'm not sure if it's achievable with Kinde.
A compromise - use one pool but assign users to the tenant organization on registration. It'd be ok for me (as I have my own users table per tenant db and can hold additional data there) if not for the problem described in the post.

Oli - Kinde•5/7/24, 10:40 AM

Hi @Pramus,
Our multi-tenancy solution is focused on different tenants that have the same user pool. So unfortunately #1 is not achievable.
I would suggest going ahead with your #2 proposed solution.

PramusOP•5/7/24, 11:02 AM

Ok but the problem described in my post persists...

Oli - Kinde•5/7/24, 11:04 AM

Understood. I have noted down your request/use-case to have completely separate user pools per tent and passed it to my team.

PramusOP•5/7/24, 11:05 AM

That would be great but I'm not sure we are on the same page - what I mean is that even with the common user pool there is an issue

PramusOP•5/7/24, 11:05 AM

The issue I described in my original post and the followup comment

PramusOP•5/7/24, 11:07 AM

The user that registered to one tenant (organization), shouldn't be getting a message on another tenant (organization) that they don't have access but rather be asked to register.

PramusOP•5/7/24, 11:08 AM

Please refer to the Scenario I described in my original post

Oli - Kinde•5/7/24, 11:15 AM

Hey @Pramus,
Kinde is built in a way where users can only access organizations they have access to.
The reason for the experience above is that we explicitly treat authentication (identity you are who you say you are) and authorization as 2 separate logical components that are separate but related. In the login flow in Kinde, we always first authenticate the identity of the user, and then check their authorization.

I will get back to you tomorrow, once I speak to my team, on how to achieve your desired scenario above.

Apologies for not understanding your message your original scenario cannot be achieved.

PramusOP•5/7/24, 11:25 AM

Thank you @Oli - Kinde . As a small hint - I believe the behaviour I'd expect is already achievable like @palooka8300 mentioned but only via custom interface using the API. Therefore the change in the out-of-the-box flow (by what I mean your React components and Kinde authentication flow) shouldn't be a big thing.

What I can think of could be some kind of an opt-in flag inside organizations to prompt the users existing in the common pool to register anew in the new org instead of alerting them that they don't have permissions.

That should give the end users the experience of multi-tenancy.

Oli - Kinde•5/8/24, 1:57 PM

Sorry @Pramus,
Still discussing this with my team.
I will come back to you with another update tomorrow.

Oli - Kinde•5/9/24, 11:31 AM

Hi @Pramus,
After looking at your scenario and expected outcome again, the only reasonable workaround I can see is using a custom page (like @palooka8300 said).
You could implement logic on your custom page that would check if the user is a member of the organization or not. You can check this via the Kinde Management API

If the user is not part of the organization, you can show a message saying this and not direct them to the verify password or code page
If the user is part of the organization, you can direct them to the next verify password or code page

Please let me know if you have any further questions.

PramusOP•5/10/24, 9:26 AM

That would require creating an entire custom login flow, it's not an ideal solution but it is what it is

PramusOP•5/10/24, 9:27 AM

As I see it, Kinde without the custom login flow is not ready for multi-tenancy

Oli - Kinde•5/11/24, 4:59 AM

Thanks again for your feedback @Pramus.
I have passed this onto my team.