Skip to main content
By default, Organizations deny user authentication from third-party applications. To allow a third-party application to authenticate users in an Organization, the Organization must be explicitly configured to allow it.

Before you begin

  • At least one third-party application is configured in your tenant. To learn more, read Configure Third-Party Applications.
  • The third-party application has a client grant for the APIs it needs to access.
  • The connection used for login is promoted to the domain level (is_domain_connection: true). Both this and the Organization opt-in below are required.

Enable third-party application access on the Organization

You can enable third-party application access using the Auth0 Dashboard or the Management API.
  1. Navigate to Auth0 Dashboard > Organizations and select the Organization.
  2. Go to the Overview tab.
  3. Under Third-Party Application Access, select Allow Third-Party Application Access.
  4. Select Save.
Organization Settings showing Third-Party Application Access options

Connection requirements

For a third-party application to authenticate users in an Organization, two connection conditions must both be met:
  1. The connection must be promoted to the domain level (is_domain_connection: true). Third-party applications can only authenticate users through domain-level connections, whether or not an Organization is involved.
  2. The connection must be enabled for the Organization.
Meeting only one of these conditions is not sufficient.

Organization login flows for third-party applications

Since third-party applications are controlled by external developers, you cannot rely on them passing the organization parameter in their authorization requests. Authentication flows that require the application to send organization directly (the No Prompt login flow) are not reliable for third-party applications. To ensure users are routed to the correct Organization context, configure one of the following on your application:
  • Prompt for Credentials: Users authenticate first, then Auth0 prompts the user to select their Organization after login.
  • Prompt for Organization: Users identify their Organization before authentication. This works regardless of what the external application sends. You can optionally enable Organization Domain Discovery to automatically detect the user’s Organization from their email domain or Organization name. Requires verified Organization domains.
To learn more, read Login Flows for Organizations.

Machine-to-machine access

The third_party_client_access setting applies to user authentication flows (authorization code) only. For machine-to-machine access using the Client Credentials Flow, this setting is not evaluated. M2M access is controlled exclusively through organization client grants. For third-party applications, allow_any_organization is not available. Each Organization must be explicitly authorized through an organization_client_grant. To learn more, read Authorize M2M Access. User consent for third-party applications is scoped to the Organization context. A user who consents in one Organization must consent again if they access the same application through a different Organization. To learn more, read Consent with Organizations.

Learn more