Auth0 requires organization check

Grafana Authentication
1

  • What Grafana version and what operating system are you using?
    Grafana OSS v13.1.0

  • What are you trying to achieve?
    Use Auth0 to authenticate in Grafana

  • How are you trying to achieve it?
    I have followed Configure Generic OAuth authentication | Grafana documentation

  • What happened?
    Auth0 checks the session contains a selected organization within Auth0

  • What did you expect to happen?
    Grafana logins with a valid Auth0, who previously selected a valid Auth0 organization

  • Can you copy/paste the configuration(s) that you are having problems with?

  \[auth.generic_oauth\]
  enabled = true
  name = Auth0
  allow_sign_up = true
  auto_login = true
  client_id = myClientId
  client_secret = mySecret
  scopes = openid profile email offline_access
  auth_style = InParams
  auth_url = myAuth0/authorize
  token_url = myAuth0/auth/token
  api_url = myAuth0/userinfo
  use_pkce = true
  use_refresh_token = true

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    logger=http.server t=2026-05-18T11:29:56.664747997Z level=error msg="failed to login " error=access_denied errorDesc=“Check your organization access and try again”

  • Did you follow any online instructions? If so, what is the URL?

So the problem I am facing is that Auth0 requires an organization. I login successfully with Auth0 in another browser tab, when I go to Grafana’s tab, it is supposed to use the same Auth0, and indeed it uses it, but Auth0 complains that the organization is missing, and I did selected the organization in the Auth0 login.

Another option that the Auht0 admin gave me is that Grafana sends the query parama prompt=none, but I don’t know how to do that, and simply adding the query parameter to the authorize endpoint did not work.

2

So the issue in the config which you posted is

Screenshot (65)
Screenshot (65)1550×716 24.3 KB

  1. auto_login = true → this causes a infinite redirect loop .Grafana redirect to Auth0 and Auth0 redirect back which repeats forever
    so replace this by auto_login = false
    2)Wrong token_url → Auth0 token endpoint is never → /auth/token
    this cause failed to get token from provider error
    so use token_url ->https://YOUR_DOMAIN/oauth/token
    3)Missing extra_params →
    Main Issue: Without sending “organisation=org_id” to Auth0 on every login request, Auth0 cannot see which organisation the user belongs so it throws error → access_denied — Check your organisation access and try again
    Remove error by using extra_params = organisation=your_org_id
    Always use extra_params this is the best way to pass organisation to Auth0.
    4)auth_style = InParams . This forces client credentials into URL parameters instead of the request body. With use_pkce = true already set, this creates a conflict in how Auth0 receives the authentication request. so remove this line completely
    5)Incomplete auth_url and api_url
    Grafana cannot make a valid redirect without the full URL.
    so use this
    auth_url = https://YOUR_DOMAIN/authorize
    api_url = https://YOUR_DOMAIN/userinfo

make sure you configured the application URLs

Screenshot (64)
Screenshot (64)1920×1080 324 KB

3

Thanks @infofcc3 for taking your time to answering my question. I did not find this “extra_params” as a possibe setting.
Anyway, the organization is dynamic.
We ended up intercepting the authorize redirect and injecting the organization query parameter.
Best