The docs reads like it's enough to have roles without assigning users to organizations. Morover, AuthKit allows a user to log in without any organization (perhaps correcly, for actions and business logic to then assign something to the user).
However, even with organization_id the flow is... inscrutable:
>> REQUEST >>
GET https://auth.workos.com/user_management/authorize?
response_type=code&
client_id=client_01...&
redirect_uri=http://localhost:4000/auth/callback
provider=authkit&
organization_id=org_01
<< RESPONSE <<
HTTP 302
Location: https://<..auth url>/
Going to this URL witll redirect to the callback URL if the user logs in, or is already logged in.
Authenticating with received code we get this with or without org_id in the previous call:
{
"user": {
"object": "user",
"id": "user_01...",
"email": "[email protected]",
"email_verified": true,
"first_name": null,
"last_name": null,
"profile_picture_url": null,
"last_sign_in_at": "2025-03-23T16:52:31.325Z",
"created_at": "2025-03-23T16:52:19.838Z",
"updated_at": "2025-03-23T16:52:31.325Z",
"external_id": null
},
"access_token": "eyJhbG...",
"refresh_token": "tyZ...",
"authentication_method": "MagicAuth"
}
So:
- the user exists
- the user object has no org attached to it
- the user ibject has no role attached to it
- in the dashboard the user exists in the list of users, but not in the org
(I did figure out the logout session thing. Decode access_token, look at claims, get sid)