I was thrilled to see that the Keycloak team has introduced the concept of organizations. However, after exploring it further, I realized it’s more of an MVP than a fully usable feature (especially in scenarios where a single user belongs to multiple organizations).

Here are some critical gaps I’ve encountered:

1. No clear way to log in with a specific active (or default) organization
   Currently, there are only two primitive options:

   • Using an external IdP
   • Displaying a basic organization selection page before entering the password
     NOTE: The second option raises a serious security concern: anyone with a user's email address can enumerate all their organizations.

2. No ability to switch organizations without logging out and back in
   This makes multi-organization workflows cumbersome and impractical.

3. No standard way to specify the active organization via REST API authentication
   I was surprised to find that the only viable method involves:

   • A custom authenticator
   • A custom script mapper
   • Token exchange
     This feels overly complex for such a basic requirement.

4. Switching between organizations via REST APIs follows the same convoluted path
   There’s no clean or documented way to handle this.

I understand the team may have approached this feature with a different perspective, but for many of us, the term organization suggested a more advanced level of multi-tenancy. I’m hopeful that future iterations will bring more robust and intuitive flows.