Skip to content

Commit e65876a

Browse files
committed
SDK-8833 Docs and comments refinement
1 parent 65bae24 commit e65876a

2 files changed

Lines changed: 27 additions & 20 deletions

File tree

examples/Organizations.md

Lines changed: 19 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,18 @@
11
# Organizations
22

3-
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers building SaaS and B2B applications. This guide covers the two main deployment patterns and the invitation flow.
3+
[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers building SaaS and B2B applications. This guide covers org login, invitation flows, error handling, and reading org data from the session.
44

5-
- [1. Dedicated-org instance](#1-dedicated-org-instance)
6-
- [2. Multi-org — per-login override](#2-multi-org--per-login-override)
7-
- [3. Log in using an organization name](#3-log-in-using-an-organization-name)
8-
- [4. Accept user invitations](#4-accept-user-invitations)
9-
- [5. Handling organization errors](#5-handling-organization-errors)
10-
- [6. Reading organization data from the session](#6-reading-organization-data-from-the-session)
5+
- [1. Configuring the organization](#1-configuring-the-organization)
6+
- [2. Log in using an organization name](#2-log-in-using-an-organization-name)
7+
- [3. Accept user invitations](#3-accept-user-invitations)
8+
- [4. Handling organization errors](#4-handling-organization-errors)
9+
- [5. Reading organization data from the session](#5-reading-organization-data-from-the-session)
1110

12-
## 1. Dedicated-org instance
11+
## 1. Configuring the organization
1312

14-
When a single instance of your application serves one organization, set `organization` at client initialization. Every login from that instance will include the `organization` parameter in the `/authorize` request and validate the `org_id` claim in the returned token automatically.
13+
The `organization` parameter can be set at client initialization (dedicated-org) or per login (multi-org).
14+
15+
**Dedicated-org:** when a single instance of your application serves one organization, set `organization` at client initialization. Every login from that instance will enforce the org automatically.
1516

1617
```python
1718
from auth0_server_python.auth_server.server_client import ServerClient
@@ -50,12 +51,7 @@ async def callback(request: Request, response: Response):
5051
return RedirectResponse(url="/dashboard")
5152
```
5253

53-
> [!NOTE]
54-
> You do not need to pass `organization` to `complete_interactive_login`. The SDK stores it in the encrypted transaction at login time and reads it back at callback — the validation is automatic.
55-
56-
## 2. Multi-org — per-login override
57-
58-
When one application instance serves multiple organizations (for example, a B2B SaaS where different users belong to different orgs), pass `organization` at login time using `StartInteractiveLoginOptions`. This overrides any client-level default for that specific login.
54+
**Multi-org:** when one application instance serves multiple organizations, pass `organization` at login time using `StartInteractiveLoginOptions`. This overrides any client-level default for that specific login.
5955

6056
```python
6157
from auth0_server_python.auth_types import StartInteractiveLoginOptions
@@ -69,10 +65,13 @@ async def login(request: Request, response: Response, org_id: str):
6965
return RedirectResponse(url=authorization_url)
7066
```
7167

68+
> [!NOTE]
69+
> You do not need to pass `organization` to `complete_interactive_login`. The SDK stores it in the encrypted transaction at login time and reads it back at callback — the validation is automatic.
70+
7271
> [!IMPORTANT]
73-
> Validate that `org_id` comes from a trusted source (your own data, a verified session, or a registered tenant list) — never pass it unvalidated from a query parameter directly from an untrusted user.
72+
> In the multi-org pattern, validate that `org_id` comes from a trusted source (your own data, a verified session, or a registered tenant list) — never pass it unvalidated from a query parameter directly from an untrusted user.
7473
75-
## 3. Log in using an organization name
74+
## 2. Log in using an organization name
7675

7776
`organization` accepts either an org ID (starts with `org_`) or an org name (any other value). The SDK uses the prefix to determine which token claim to validate at callback:
7877

@@ -94,7 +93,7 @@ authorization_url = await auth0.start_interactive_login(
9493
> [!NOTE]
9594
> Auth0 enforces that organization names cannot start with `org_`, so the prefix dispatch is unambiguous. When using org name, the SDK applies NFC Unicode normalization before comparison to prevent false rejections from visually identical characters with different byte representations.
9695
97-
## 4. Accept user invitations
96+
## 3. Accept user invitations
9897

9998
When a user follows an invitation link, extract the `invitation` and `organization` parameters from the URL and pass them at login time. Auth0 validates the invitation ticket server-side — your application does not need to verify it.
10099

@@ -123,7 +122,7 @@ async def login(request: Request, response: Response):
123122
> [!NOTE]
124123
> `organization` and `invitation` are forwarded to `/authorize`. Auth0 consumes the invitation ticket server-side — it is not stored in the encrypted transaction. If the ticket is expired or already used, `complete_interactive_login` raises `OrganizationInvitationError`.
125124
126-
## 5. Handling organization errors
125+
## 4. Handling organization errors
127126

128127
The SDK raises typed exceptions for org-specific failure modes. Catch them in your callback handler to return meaningful responses to your users.
129128

@@ -167,7 +166,7 @@ async def callback(request: Request, response: Response):
167166
| `OrganizationInvitationError` | Invitation ticket expired, already used, or invalid |
168167
| `OrganizationTokenValidationError` | `org_id` / `org_name` in the returned token does not match what was requested |
169168

170-
## 6. Reading organization data from the session
169+
## 5. Reading organization data from the session
171170

172171
After a successful org login, `org_id` and `org_name` are available on the user object. Use `get_user()` to retrieve them on subsequent requests:
173172

src/auth0_server_python/auth_types/__init__.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -220,7 +220,9 @@ class StartLinkUserOptions(BaseModel):
220220
authorization_params: Optional[dict[str, Any]] = None
221221
app_state: Optional[Any] = None
222222

223+
# =============================================================================
223224
# Multiple Custom Domain
225+
# =============================================================================
224226

225227
class DomainResolverContext(BaseModel):
226228
"""
@@ -241,7 +243,9 @@ async def domain_resolver(context: DomainResolverContext) -> str:
241243
request_url: Optional[str] = None
242244
request_headers: Optional[dict[str, str]] = None
243245

246+
# =============================================================================
244247
# Custom Token Exchange Types
248+
# =============================================================================
245249

246250
class CustomTokenExchangeOptions(BaseModel):
247251
"""
@@ -348,7 +352,9 @@ class LoginWithCustomTokenExchangeResult(BaseModel):
348352
state_data: dict[str, Any]
349353
authorization_details: Optional[list[AuthorizationDetails]] = None
350354

355+
# =============================================================================
351356
# Connected Accounts Types
357+
# =============================================================================
352358

353359
# BASE & SHARED
354360
class ConnectedAccountBase(BaseModel):
@@ -421,7 +427,9 @@ class ListConnectedAccountConnectionsResponse(BaseModel):
421427
next: Optional[str] = None
422428

423429

430+
# =============================================================================
424431
# MFA Types
432+
# =============================================================================
425433

426434
# Type aliases using Literal types
427435
AuthenticatorType = Literal["otp", "oob", "recovery-code"]

0 commit comments

Comments
 (0)