multitenant multi org to single auth user setup
I currently have a setup on auth0 and I'd like to replicate it on Kinde if possible.
A user can belong to one or many organizations and wll have a default org. When requesting an access token during login the auth0 post login script will call my public api and get the orgs the user belongs to, and adds them to the claims in the token as an array [], there is also a current org id for the current organization the user is in. The claim is useful so the user can get all the org specific data and when the dropdown is changed to a different org, another token is requested with the org id as a parameter and if the api returns with that org as a valid one for the user it adds it to the claim as the current org Is.
I see there is a user data thing you have at kinde, but it seems to only support strings and booleans, which prevents me having a list of orgs as an array, and tere doesn't seem to be a way to conditionally pass data into the token request and have that change the claims logic.
Is this setup or something that achieves similar results possible?
Thanks for your time,
Danny
10 Replies
Sort of. I'm going to reply using Nuxt / Vue as that's what my stack is (on top of .NET). With Nuxt (and I assume any of the JavaScript SDKs) you can get a users organisations with something like:
const organisations = await event.context.kinde.getUserOrganizations();
See - https://docs.kinde.com/build/organizations/orgs-for-developers/.
Kinde does support the concept of a default organisation, but it is a default organisation across the entire business (i.e. your tenant). If you wanted something slightly different (e.g. the user has 3 standard orgs they belong to and you want to be able to define a default) then that's something you'd need to manage in your application logic.
Also, in Kinde from an auth perspective a user is only logged into one org at once. The user's permissions & roles are tied to their membership to the organisation, but you can flick between organisations without forcing the user to log in via Kinde's UX. You can do this by calling login, passing in the org_code and prompt=none.
In terms of customisation, I think Kinde has some capability in the not too distant future around workflows which might fit your use case. https://updates.kinde.com/board/build-your-own-workflows. I think there's a demo of it in #announcementsKinde docs
Kinde organizations for developers
Our developer tools provide everything you need to get started with Kinde.
Hi Danny,
Building on what Stephen mentioned, Kinde supports similar functionality to what you described. Here’s how:
Organizations in Tokens
Kinde automatically includes organization information in both ID and access tokens:
- In ID tokens, you receive an
org_codes array containing the IDs of all organizations the user belongs to.
- In access tokens, you get the org_code for the currently active organization.
Organization Switching
You can enable organization switching by adding organization data to ID tokens. The organizations claim will include both IDs and names.
Here’s an example of how the organizations appear in the token:
Switching Organizations
- You can switch organizations by passing the org_code parameter during login.
- The token will automatically update with the new current organization.
Token Synchronization
Kinde provides multiple methods to keep tokens in sync when organization data changes:
- Refresh tokens allow users to retrieve updated claims.
- The Refresh User Claims API endpoint provides immediate updates.
Key Difference:
As Stephen highlighted, Kinde handles organization management natively, so you don’t need a custom post-login script like in Auth0. The organization data is automatically included in the tokens and managed within Kinde’s built-in system.
For further clarification, could you share which SDK or tech stack you’re using? That way, we can provide more specific guidance.
Looking forward to your response!Thanks for your detailed response, I am slightly worried doing it that way since it means I no longer have a source of truth and need to be a bit more careful with desyncs, but I can see the benefit long term for this method.
My stack is express container for backend and react frontend.
Also just wanted to confirm before I commit to making the switch over, is Kinde committed to keeping the following features in the $25 pro plan, these two features alone are enough of a reason for me to switch over.
Taken from pricing page:
- Unlimited MAU, organizations, and
- M2M connections as you grow
And I want to confirm the M2M connections as I grow means that once I offer an api to my customers I can programmatically make each (or more than one each) org a Client Id and Secret to allow them to call my client api?
Appreciate the time
I don't work for Kinde, so take my comments at face value. I'd suggest you go through their pricing page in detail. https://kinde.com/pricing/. Whilst they do give unlimited MAU, MAO, etc they only include a certain number of those for free in each pricing plan and charge for overages.
Depending on the number of API endpoints you have you'll also need to be careful of M2M tokens and make sure that your clients aren't burning tokens by being bad citizens as that too could cause overage charges for your clients which are doing things like creating a M2M token per request for instance.
I myself haven't looked at programmatically registering applications, but I believe Kinde's Management API basically supports anything that is available in the UI (although there are some small exceptions)
Kinde
Pricing
Flexible pricing and plans to suit all companies. Start for free — no credit card required.
thats helpful Stephen, just needed to scroll down a little bit more
seems like it can easily end up very expensive if each user gets a org by default
and I'm not sure if I've just missed it but I haven't been able to find how many client_id and client_secrets I can create included in the plans.
Thanks again for the help
If there's only 1 MAU per org then that org isn't charged. It's only when it gets to 2 MAU per org that you get the charge.
It doesn't show up in a screenshot but if you hover over the i icon next to Included monthly active organisations the text will confirm what I've stated
Hi Danny,
Thank you for your message.
Kinde supports both token-based organization management and a centralized data approach, so you can choose what works best for you.
Also, a member of our billing team will reach out to discuss features and pricing.
Let me know if you have any other questions!
A big thanks for helping @TotalScrub
@firemansam as Stephen said, we only count a MAO once there are 2 or more MAU within a given month. Meaning if you only have Organisation=1 MAU then you will never be charged for MAO.
Also as Stephen pointed out, our plans have included amounts and then per unit pricing above those limits. Unlike your current provider you are not capped with your usage on plans with Kinde. And if you volume gets large, you can move up our plans to get cheaper per unit pricing or speak to us about customise volume pricing. https://kinde.com/price-builder/
There is no limit on the amount of M2M applications you create in your account, we charge based on the issuing of M2M tokens. https://docs.kinde.com/developer-tools/kinde-api/connect-to-kinde-api/#how-m2m-tokens-are-calculated-in-kinde
Any other questions at this stage?
Kinde
Kinde price builder - Get the right plan for your business
Tell us what you need and we'll create a price estimate you can share with business stakeholders
Kinde docs
Set up Kinde Management API access
Our developer tools provide everything you need to get started with Kinde.
ahh cool, so if I have a free tier,
free tier user signs up -> I create the org in my db and in kinde -> because its an org with only one user it doesn't count towards the 50 included in the pro plan -> user upgrades to my paid plan and adds team to his org -> now with 5 users it counts ongoing
that sounds reasonable and means I only pay for users who are paying with the exception of the much more generous 10k MAU
sounds like you guys are worth a POC and possibly a switch, really appreciate the help
Perfect! Glad we could help make the migration easier!