python_2_7:

docker:

- image: cimg/python:2.7

python_3:

python_2:

executor: python_2_7

steps:

- checkout

- python/install-packages:

pkg-manager: pip-dist

path-args: ".[test]"

- run: coverage run -m unittest discover -s auth0/v3/test -t .

- codecov/upload

- python_3

- python_2

- python_3

- python_2

- [Organizations](#organizations)

[Organizations](https://auth0.com/docs/organizations) is a set of features that provide better support for developers who build and maintain SaaS and Business-to-Business (B2B) applications.

Note that Organizations is currently only available to customers on our Enterprise and Startup subscription plans.

Log in to an organization by specifying the ``organization`` property when calling ``authorize()``:

from auth0.v3.authentication.authorize_client import AuthorizeClient

client = AuthorizeClient('my.domain.com')

client.authorize(client_id='client_id',

redirect_uri='http://localhost',

organization="org_abc")

When logging into an organization, it is important to ensure the `org_id` claim of the ID Token matches the expected organization value. The `TokenVerifier` can be be used to ensure the ID Token contains the expected `org_id` claim value:

from auth0.v3.authentication.token_verifier import TokenVerifier, AsymmetricSignatureVerifier

domain = 'myaccount.auth0.com'

client_id = 'exampleid'

id_token = auth_result['id_token']

jwks_url = 'https://{}/.well-known/jwks.json'.format(domain)

issuer = 'https://{}/'.format(domain)

sv = AsymmetricSignatureVerifier(jwks_url) # Reusable instance

tv = TokenVerifier(signature_verifier=sv, issuer=issuer, audience=client_id)

tv.verify(id_token, organization='org_abc')

Accept a user invitation by specifying the `invitation` property when calling `authorize()`. Note that you must also specify the ``organization`` if providing an ``invitation``.

The ID of the invitation and organization are available as query parameters on the invitation URL, e.g., ``https://your-domain.auth0.com/login?invitation=invitation_id&organization=org_id&organization_name=org_name``

from auth0.v3.authentication.authorize_client import AuthorizeClient

client = AuthorizeClient('my.domain.com')

client.authorize(client_id='client_id',

redirect_uri='http://localhost',

organization='org_abc',

invitation="invitation_123")

If an `org_id` claim is present in the Access Token, then the claim should be validated by the API to ensure that the value received is expected or known.

In particular:

- The issuer (`iss`) claim should be checked to ensure the token was issued by Auth0

- The organization ID (`org_id`) claim should be checked to ensure it is a value that is already known to the application. This could be validated against a known list of organization IDs, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token.

Normally, validating the issuer would be enough to ensure that the token was issued by Auth0. In the case of organizations, additional checks should be made so that the organization within an Auth0 tenant is expected.

If the claim cannot be validated, then the application should deem the token invalid.

The snippet below attempts to illustrate how this verification could look like using the external [PyJWT](https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-rs256-rsa) library. This dependency will take care of pulling the RS256 Public Key that was used by the server to sign the Access Token. It will also validate its signature, expiration, and the audience value. After the basic verification, get the `org_id` claim and check it against the expected value. The code assumes your application is configured to sign tokens using the RS256 algorithm. Check the [Validate JSON Web Tokens](https://auth0.com/docs/tokens/json-web-tokens/validate-json-web-tokens) article to learn more about this verification.

import jwt # PyJWT

from jwt import PyJWKClient

access_token = # access token from the request

url = 'https://{YOUR AUTH0 DOMAIN}/.well-known/jwks.json'

jwks_client = PyJWKClient(url)

signing_key = jwks_client.get_signing_key_from_jwt(access_token)

data = jwt.decode(

access_token,

signing_key.key,

algorithms=['RS256'],

audience='{YOUR API AUDIENCE}'

organization = # expected organization ID

if data['org_id'] != organization:

raise Exception('Organization (org_id) claim mismatch')

social = Social('myaccount.auth0.com')

social.login(client_id='...', access_token='...', connection='facebook')

database = Database('myaccount.auth0.com'')

database.signup(client_id='...', email='[email protected]', password='secr3t', connection='Username-Password-Authentication')

token = GetToken('myaccount.auth0.com')

token.login(client_id='...', client_secret='...', username='[email protected]', password='secr3t', realm='Username-Password-Authentication')

get_token = GetToken(domain)

token = get_token.client_credentials(non_interactive_client_id,

non_interactive_client_secret, 'https://{}/api/v2/'.format(domain))

- API Authorization - Authorization Code Grant (`authentication.AuthorizeClient`)

from .authorize_client import AuthorizeClient

from .logout import Logout

"AuthorizeClient",

"Logout",