Automatically adding user to organization on sign-in (not sign-up)
I understand that if a user is signing up, they can automatically be added to the organization specified on the query string (?org_code=), however, if I already have a user account at Organization A and then I try to log into Organization B, I'm getting a message. Is there so way to allow an existing user account to sign in to an organization they are not yet a part of?
16 Replies
Hi thanks for your message, we are aware of this issue and are investigating a fix. I will see if I can get an update from the team.
So this is just something broken at the moment, not a lack of a feature?
I have a similar problem:
https://discord.com/channels/1070212618549219328/1233335354023743541
Hi @ryno1234.,
Just jumping in here.
If a user is is assigned to
organization A
but not assigned to organization B
and they try to sign into organization B
, the user will see the message above. This is the expected state.
So @ryno1234., are you able to explain a bit more about the desired experience you are after?
An existing user can sign-up to another organization (e.g organization B
) and then they can successfully log into that organization.Bumping your issue too @Pramus . Maybe you can take a look @Oli - Kinde
@Oli - Kinde, the messaging is confusing in my opinion.
My concrete use case is I run "Best Of" campaigns for small to medium sized cities and towns. Often, we'll have neighboring towns so a community member signing in to participate in City A's campaign may also end up being a user of City B's campaign.
When they hit the sign in screen, often people will just type their username and password as opposed to thinking "Oh, I need to make sure I sign up since I don't recall creating an account here before". If you do this, the next screen asks for my password (indicating I already have an account), if I then enter the CORRECT password, I'm presented with an access denied. -> that is a weird flow IMO
I'm thinking, at this last step, just create their association with the organization at this point. They've correctly identified who they are and their desire to access the organization. The organization has "Allow Signups", so we've met the requisite requirements to just process a signup.
As an alternative to what I mentioned above, I think this would be *far *less confusing if when a user attempts to sign in to City B, if that account exists but isn't already associated with City B, don't allow them to go further prompting them for their password because it gives this false hope that once they enter their password correctly, they can get in.
In short:
* Either understand there is an implied "sign up" intention upon successful sign in and just let they user through OR
* Understand there is an implied "Sign Up" intention upon sign in and detect if the user isn't associated to the Organization and short circuit their attempt before they get to the password screen.
A a side effect of this I wasn't anticipating is that now I need to associate all users I'm importing from Auth0 with their organizations since, if I don't do this, the user has to explicitly "Sign up".
Hey @ryno1234.,
Thanks for the extensive reply.
I am also sorry you came across this experience so late into your migration/integration journey.
The reason for the experience above is that we explicitly treat authentication (identity you are who you say you are) and authorization as 2 separate logical components that are separate but related. In the login flow in Kinde, we always first authenticate the identity of the user, and then check their authorization.
I understand in your case where the user is given false hope that they have access to the organization and later are hit with an "access denied" screen.
I have passed this feedback to my team.
I'm thinking, at this last step, just create their association with the organization at this point. They've correctly identified who they are and their desire to access the organization. The organization has "Allow Signups", so we've met the requisite requirements to just process a signup.If you are happy to go ahead with this solution for the time-being you can achieve this by always redirecting the user to organization-specific
register
screen, when you want the user to login to a specific org.
- If the existing user is not assigned to the org, they will be assigned to the org and granted access (let them in)
- If the existing user is already assigned to the org, it will just let them in
Does this solve your use-case for the time-being?@Oli - Kinde, yes it does solve the issue. Thank you! As we've discussed (in a separate thread), I'll need to create a custom sign in screen anyway, so I may ultimately have more control over this (TBD as I haven't looked into what's required to make this happen yet and exactly what control I will have).
I'm hoping longer term the team can find a way for others in the future to smooth out this specific type of flow. Even simply changing the messaging at the end to something like "We found your account, but you haven't signed up for Organization Name before. Click here to sign up" and directing the user to the sign up screen. That would be a WORLD of improvement with likely small effort.
Again, IMO, I think from a users perspective, if I've already authenticated and the org allows registration, you have all the elements necessary to allow me through, but trying to think of simple alternatives like response message changes that might solve these edges cases.
I appreciate all your help!
Just thought of this: Another, and likely more compelling, reason why someone might not try to sign up and instead try to sign in would be that their credentials are saved in the browser from signing in to City A previously - it gives a false sense that they can utilize their saved credentials to move forward. Their saved credentials will indeed move them forward in the process, just for them to hit an access denied screen.
I believe this case and mine are great examples identifying the missing parts of the scenario of an existing user logging into a new organization. It would be great if we could have a setting (per organization possibly?) to determine he behaviour:
- inform that they don't have access - as it is now
- add to organization - happens in the backgrounds by simply adding the existing user to org and successfully redirects
Hey @ryno1234. and @Pramus,
Thanks a ton for sharing your insights and suggestions—it’s super valuable to my team and I. I totally get where you're coming from, and it makes a lot of sense. I’ve already looped in our team to look into these suggestions.
In the meantime, I appreciate you guys rolling with the temporary solutions. Keep the ideas coming, and we’ll keep working on making things better.
Keep the questions and suggestions coming!
@Oli - Kinde - We launched with Kinde on Monday of last week. Generally speaking, so far so good. That said, as suspected we already have users having issues with what I mentioned above. Here is some direct feedback / confusion from a user because of this. In this email, "Region" = Organization in Kinde.
I'd also like to mention that there is a secondary issue here: Once a user attempts to log in, but gets the 'Sorry, you do not have access to this organization" message, they are quite literally stuck.
* There are no links to perform a different action or return to the originating site
* The user really only have 3 options: 1) use the back button 2) close the window or 3) type in a new URL in the address bar. If you use the back button, (which is the only reasonable option out of those 3) you're presented with the login screen again. Attempting any other action on that screen then leads you to the 2nd message "The requested action could only be executed once". I understand WHY this is showing up, but the user experience in this particular case is very poor. Hopefully the team is working on this part since this is user facing.
My client is undoubtedly going to be looking to me for solutions to this problem in the next day or two as more of this pops up. Don't get me wrong, generally speaking I'm happy with Kinde, but these user facing things do provide some (at times) significant friction.
I'm sure the team can come up with some ideas on how to allow the user to get out of this "hole" they can fall into, or, as mentioned above, auto-register them in the case that the organization allows registration.
Looking forward to hearing your thoughts.
Thank you!
Hey @ryno1234.,
Apologies for the delayed response here.
First of all, I am sincerely sorry you have experienced these issues.
I would like to reproduce this issue as an end-user of your system. Would you be able to send me a link one of your sites where I can reproduce this issue? You can DM me this if you prefer.
Also, you can improve the user experience when a user lands on the "The requested action could only be executed once" page by setting a default login route for an application - see this doc.
Adding a homepage URL to the sign-in page is also a good idea - see this doc
Kinde docs
Add homepage URL to the sign-in page
Our developer tools provide everything you need to get started with Kinde.
@Oli - Kinde, thanks for the response. You can register at https://rgbr.stylerca.com and then attempt to log to https://fedh.stylerca.com using the account you just created at the first link.
Regarding adding the homepage link, I would love to but the API doesn't support it. I logged this issue with the team already. I need to be able to set this information via the API, not manually, because we have many organizations. We expect to get into the hundreds+ in the next year or two.
For the time being, I will manually update these couple of organizations that are actively in the midst of their campaign, but longer term this needs to be able to be accomplished via the API.
Vote for the Best in Roseville, Granite Bay and Rocklin.
Cast your vote for the finest in Roseville / Granite Bay / Rocklin!
Vote for the Best Folsom and El Dorado Hills
Cast your vote for the finest in Folsom / El Dorado Hills!
Here is a link to the thread about the Organizations API not supporting full functionality: https://discord.com/channels/1070212618549219328/1236726751552344095/1236726751552344095
Hey @ryno1234.,
I can replicate your issue where a user reaches a screen that says "Sorry, you do not have access to this organization."
To overcome this issue there are 2 approaches you can take - see below.
Always direct the user to the
register
page (not login
page)
As mentioned here (https://discord.com/channels/1070212618549219328/1236312350173433856/1237350535787446363), if you always direct the user to the register
page of an org:
- If the existing user is not assigned to the org, they will be assigned to the org and granted access (let them in)
- If the existing user is already assigned to the org, it will just let them in
Webhooks
The alternative approach is using Kinde webhooks to call an API (when a user registers with either any org) and then add the user to all organisations
- You would have to update the orgs of all existing users to belong to all organisations before you implement this
- You can update the organisations of all user with our user import via CSV solution - you need to include the external_organization_id
field.
I would suggest Always direct the user to the register
page (not login
page) solution.
Let me know if you have any questions.Discord
Discord - A New Way to Chat with Friends & Communities
Discord is the easiest way to communicate over voice, video, and text. Chat, hang out, and stay close with your friends and communities.
Kinde docs
Import users in bulk
Our developer tools provide everything you need to get started with Kinde.
Regarding adding the homepage link, I will chase this up with my team and reply here: https://discord.com/channels/1070212618549219328/1236726751552344095