Third-party Apps for Organizations#1389
Conversation
| | **Rules** | Executed | Not supported. Results in error. | | ||
| | **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported | | ||
| | **Organizations** | Supported | Machine-to-machine access supported via [organization client grants](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants). User flows planned for a future release. | | ||
| | **Organizations** | Supported | Supported. User flows require the organization to [allow third-party application access](/docs/manage-users/organizations/configure-organizations/enable-third-party-application-access). Machine-to-machine access supported via [organization client grants](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants). | |
There was a problem hiding this comment.
Looks like this is an existing issue but /docs/manage-users/organizations/configure-organizations/configure-organization-client-grants does not exist and you get a 404 when you hit this link.
It looks like docs/manage-users/organizations/organizations-for-m2m-applications/authorize-m2m-access might be the page we want to target here.
|
|
||
| 1. Navigate to [Auth0 Dashboard > Organizations](https://manage.auth0.com/#/organizations) and select the Organization. | ||
| 2. Go to the **Settings** tab. | ||
| 3. Locate **Third-Party Application Access** and enable the toggle. |
There was a problem hiding this comment.
As I think has already been flagged, the UI currently shows "Third-Party Client Access" as the section name rather than "Third-Party Application Access".
enable the toggle
The actual UI as implemented at present is a radio group, not a toggle, with two options:
- "Block Third-Party Client Access"
- "Allow Third-Party Client Access"
The "Client" vs "Application" wording obviously needs updating here as well, but we should align this documentation with the fact that it's multiple options rather than a single toggle 👍
| To verify the change, retrieve the Organization and confirm the property is set: | ||
|
|
||
| {/* TODO: AuthCodeGroup — `GET /api/v2/organizations/{id}` example showing `third_party_client_access` in the response */} |
There was a problem hiding this comment.
If it helps, I hit this endpoint with one of my own Organizations and the response looked like this:
{
"id": "org_9lBHW9jzd0tQWPFH",
"name": "acme",
"display_name": "ACME Corporation",
"third_party_client_access": "allow"
}| To ensure users are routed to the correct Organization context, configure one of the following on your application: | ||
|
|
||
| - **Prompt for Organization**: Auth0 prompts the user to identify their Organization before authentication. This works regardless of what the external application sends. | ||
| - **Organization Domain Discovery**: Auth0 automatically detects the user's Organization from their email domain. Requires [verified Organization domains](/docs/manage-users/organizations/configure-organizations/create-org-domains). |
There was a problem hiding this comment.
Is there any reason we're pushing "Pre-Login" organization discovery here?
Note that "Prompt for Organization" encapsulates two possible modes: the user enters the organization name, or the user enters their organization email. So the first bullet here is the general approach, while the second bullet point here is a specific option within that approach - I think it could be a bit confusing for folks to have it laid out like this.
Furthermore, what's wrong with the "Post-Login" ("Prompt for Credentials") organization discovery flow? i.e. the user logs in first and then we show an organization picker with all the organizations they belong to that support 3P clients? Unless I'm mistaken, this approach solves the same problem, and only "No Prompt" is problematic.
If the idea here is to explain the two options that are available to ensure an organization is picked during login, then I think we should present "Prompt for Organization" and "Prompt for Credentials" as the two options, and not get too much down into the weeds of requiring verified organization domains etc. for the specific sub-option of the "Prompt for Organization" flow (probably better to just link out to the docs/manage-users/organizations/login-flows-for-organizations#configure-the-login-flow-for-your-application page and let that do the heavy lifting).
|
|
||
| ## Machine-to-machine access | ||
|
|
||
| The `third_party_client_access` setting applies to user authentication flows (authorization code) only. For machine-to-machine access using the Client Credentials Flow, this setting is not evaluated. M2M access is controlled exclusively through [organization client grants](/docs/manage-users/organizations/organizations-for-m2m-applications). |
There was a problem hiding this comment.
nit: would it be better to link specifically to docs/manage-users/organizations/organizations-for-m2m-applications/authorize-m2m-access here? i.e. the page that talks about the authorization mechanisms?
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| Since third-party applications are controlled by external developers, you cannot guarantee they pass the `organization` parameter in authorization requests. Configure [Prompt for Organization or Organization Domain Discovery](/docs/manage-users/organizations/login-flows-for-organizations) to ensure users are routed to the correct Organization context. | ||
| </Callout> |
There was a problem hiding this comment.
See my other comments in this review where I've commented on similar passages
| 1. The connection must be promoted to the [domain level](/docs/authenticate/identity-providers/promote-connections-to-domain-level), as described in the section above. | ||
| 2. The Organization must have `third_party_client_access` set to `allow`. | ||
|
|
||
| If either condition is missing, the authorization request fails with `access_denied`. To enable third-party application access on an Organization, read [Enable Third-Party Application Access for an Organization](/docs/manage-users/organizations/configure-organizations/enable-third-party-application-access). |
There was a problem hiding this comment.
See my other comment talking about the actual error behaviour vs the access_denied documented here
|
|
||
|
|
||
| Machine-to-Machine Access to Organizations can be granted by directly associating a client grant to an organization or allowing access to any organization in the client grant settings. Both scenarios can be audited via the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>, where you can view or retrieve a list of client grants associated with an organization for an application. To learn more about how M2M access to Organizations permissions work, read [Configure Your Application for M2M Access](/docs/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access) and [Authorize M2M Access](/docs/manage-users/organizations/organizations-for-m2m-applications/authorize-m2m-access). | ||
| Machine-to-Machine Access to Organizations can be granted by directly associating a client grant to an organization or allowing access to any organization in the client grant settings. Both scenarios can be audited via the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>, where you can view or retrieve a list of client grants associated with an organization for an application. To learn more about how M2M access to Organizations permissions work, read [Configure Your Application for M2M Access](/docs/manage-users/organizations/organizations-for-m2m-applications/configure-your-application-for-m2m-access) and [Authorize M2M Access](/docs/manage-users/organizations/organizations-for-m2m-applications/authorize-m2m-access). Auditing works the same way for [third-party applications](/docs/get-started/applications/third-party-applications). |
There was a problem hiding this comment.
The tip for the Management API link is wrong here - it looks like it's a copy-paste error.
Looking elsewhere, I think the tip should be:
"Management API: A product to allow customers to perform administrative tasks."
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| This approach assumes you control the application code. For third-party applications, you cannot guarantee the external developer passes the `organization` parameter. Use [Prompt for Organization or Organization Domain Discovery](/docs/manage-users/organizations/login-flows-for-organizations) instead. | ||
| </Callout> |
There was a problem hiding this comment.
And again here - same comments as elsewhere
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| For [third-party applications](/docs/get-started/applications/third-party-applications), `allow_any_organization` is not available. Each Organization must be explicitly authorized through an `organization_client_grant`. To learn more, read [Enable Third-Party Application Access for an Organization](/docs/manage-users/organizations/configure-organizations/enable-third-party-application-access). | ||
| </Callout> |
There was a problem hiding this comment.
allow_any_organization is an M2M concept (which is the scope of this page), but the link we're pointing to here is about enabling third-party application access in user flows, not about organization client grants. We should change the link to point at the docs/manage-users/organizations/organizations-for-m2m-applications/authorize-m2m-access page instead.
4 participants
Description
Documents Organizations support for third-party applications, shipping with the GA Extended Functionality release (ROAD-5837). Third-party applications can now participate in Organization-context flows, gated by an explicit per-organization opt-in (
third_party_client_access) at the org level and a domain-level connection at the connection level. M2M with Organizations was already shipped — this PR also closes documentation gaps in that area.The work covers four concepts:
organization_client_grantrequired per Organization;allow_any_organizationis not available for third-party applications.(application, API, scopes, org_id). Consent in one Organization does not carry over to another.Scope
New article:
manage-users/organizations/configure-organizations/enable-third-party-application-access.mdx— the canonical how-to for an Organization admin enabling third-party access, with Dashboard and Management API tabs.Updated articles (19 total):
first-party-and-third-party-applications,security-controls,configure-third-party-applications,user-consent-and-third-party-applications,troubleshooting,permissive-mode, and the migration guide.organizations-overview,using-tokens,configure-organizations(index),login-flows-for-organizations,custom-development.configure-your-application-for-m2m-access,authorize-m2m-access,revoke-m2m-access,audit-m2m-access.config/navigation/manage-users.json.Editorial decisions
permissivereferences inmanage-users/organizations: third-party applications are referred to as a single concept across the Organizations section. Permissive-specific differences are confined topermissive-mode.mdx.Placeholders for follow-up
The following are flagged in-line with
{/* TODO: ... */}markers and need to be filled before publication:third_party_client_accesstoggle, close-up of the toggle, and a paired set of org-scoped consent dialogs (same user, same app, two Organizations) for the consent article.AuthCodeGroup-wrapped example for/authorizewithorganizationin the configure article;GET /api/v2/organizations/{id}showing the new property in the new how-to article; sampleaccess_deniederror response body for the troubleshooting entry.References
Testing
Build the site locally and verify rendering and content
cd main & mintlify devChecklist
CONTRIBUTING.md.