AshAuthentication multitenancy org uses attribute, user uses context

Hey

I’ve read through the posts on using AshAuthentication and multitenancy and couldn’t find an appropriate fit for this.

The title of this post may need massaging if this cannot be written off immediately.

Scenario

Using a clean (generated) slate, I’ve created a new resource Organization which uses the :attribute strategy whereas the User and Token resources have been adapted to use the :context strategy. This is further explained below and also published as a preproduction on GitHub.

Running the registration actions on User with the correct tenant set in AshAdmin, I get an error from Myapp.Accounts.Token.store_confirmation_changes saying:

Queries against the Myapp.Accounts.Token resource require a tenant to be specified

I get the same result from running the code in an iex session (please see the README of the reproduction).

The changes from the generated code are set out in this commit:

This is all set out in the README of reproduction repo, but I paste the pertinent sections of the resources below.

Asking humbly, is there something manifestly wrong with this setup?

Thankful for any input

The resources

User and Token

multitenancy do
  strategy :context
end

Organization

postgres do
  table "organizations"
  repo Myapp.Repo

  manage_tenant do
    template ["org_", :subdomain]
    create? true
    update? false
  end
end

multitenancy do
  strategy :attribute
  attribute :subdomain
  global? true
end

To juggle resources using different multitenancy strategies, the Ash.ToTenant protocol introspects the resources and returns either the org_subdomain form or the attrubute subdomain.

defimpl Ash.ToTenant do
  def to_tenant(%{subdomain: subdomain}, resource) do
    if Ash.Resource.Info.data_layer(resource) == AshPostgres.DataLayer &&
          Ash.Resource.Info.multitenancy_strategy(resource) == :context do
      "org_#{subdomain}"
    else
      subdomain
    end
  end
end

Perhaps it is worth noting that the :subdomain attribute on Organization is of the type :ci_string.

attribute :subdomain, :ci_string do
  public? true
  allow_nil? false
end

Hey! Could you try main of both ash_authentication and ash_authentication_phoenix?

Of course

But no mas unfortunately, same error with:

# {:ash_authentication_phoenix, "~> 2.0"},
{:ash_authentication_phoenix, github: "team-alembic/ash_authentication_phoenix"},
# {:ash_authentication, "~> 4.0"},
{:ash_authentication, github: "team-alembic/ash_authentication", override: true},

Good to know thanks can you share the full error output including the stack trace?

[debug] HANDLE EVENT "save" in AshAdmin.PageLive
  Component: AshAdmin.Components.Resource.Form
  Parameters: %{"form" => %{"_form_type" => "create", "_touched" => "email,password,password_confirmation", "email" => "kurt@nsa.gov", "password" => "[FILTERED]", "password_confirmation" => "[FILTERED]"}}
[debug] QUERY OK db=0.3ms idle=1496.3ms
begin []
↳ anonymous fn/3 in Ash.Changeset.with_hooks/3, at: lib/ash/changeset/changeset.ex:3555
[debug] QUERY OK source="users" db=0.3ms
INSERT INTO "org_nsa"."users" ("id","hashed_password","email") VALUES ($1,$2,$3) RETURNING "hashed_password","email","id","confirmed_at" ["e5bcff53-e76d-48d5-bf43-f1706b5bec11", "$2b$12$f9bx08Q0cnVkcvEpDayFBOAa0saabDFZ6eh2FexF7qfEEYlk3ZuyW", #Ash.CiString<"kurt@nsa.gov">]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[debug] QUERY OK source="tokens" db=0.2ms
INSERT INTO "org_nsa"."tokens" AS t0 ("subject","purpose","jti","expires_at","created_at","updated_at","inserted_at") VALUES ($1,$2,$3,$4,$5,$6,$7) ON CONFLICT ("jti") DO UPDATE SET "subject" = EXCLUDED."subject", "purpose" = EXCLUDED."purpose", "expires_at" = EXCLUDED."expires_at", "updated_at" = COALESCE(EXCLUDED."updated_at", $8) RETURNING "updated_at","inserted_at","extra_data","purpose","expires_at","subject","jti","created_at" ["user?id=e5bcff53-e76d-48d5-bf43-f1706b5bec11", "user", "30j2aht9vqq0qrem6c0003t1", ~U[2025-03-07 06:28:15Z], ~U[2025-02-21 06:28:15.756213Z], ~U[2025-02-21 06:28:15.756219Z], ~U[2025-02-21 06:28:15.756219Z], ~U[2025-02-21 06:28:15.756904Z]]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[debug] QUERY OK source="tokens" db=0.9ms
INSERT INTO "org_nsa"."tokens" AS t0 ("subject","purpose","jti","expires_at","created_at","updated_at","inserted_at") VALUES ($1,$2,$3,$4,$5,$6,$7) ON CONFLICT ("jti") DO UPDATE SET "subject" = EXCLUDED."subject", "purpose" = EXCLUDED."purpose", "expires_at" = EXCLUDED."expires_at", "updated_at" = COALESCE(EXCLUDED."updated_at", $8) RETURNING "updated_at","inserted_at","extra_data","purpose","expires_at","subject","jti","created_at" ["user?id=e5bcff53-e76d-48d5-bf43-f1706b5bec11", "user", "30j2ahtas1eaerem6c0003u1", ~U[2025-02-24 06:28:15Z], ~U[2025-02-21 06:28:15.765400Z], ~U[2025-02-21 06:28:15.765413Z], ~U[2025-02-21 06:28:15.765413Z], ~U[2025-02-21 06:28:15.765518Z]]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[error] Failed to generate confirmation token
: ** (Ash.Error.Invalid) 
Bread Crumbs:
  > Error returned from: Myapp.Accounts.Token.store_confirmation_changes

Invalid Error

* Queries against the Myapp.Accounts.Token resource require a tenant to be specified
  (ash 3.4.64) lib/ash/error/invalid/tenant_required.ex:5: Ash.Error.Invalid.TenantRequired.exception/1
  (ash 3.4.64) lib/ash/actions/create/create.ex:600: Ash.Actions.Create.set_tenant/1
  (ash 3.4.64) lib/ash/actions/create/create.ex:253: Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4
  (ash 3.4.64) lib/ash/actions/create/create.ex:50: Ash.Actions.Create.run/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation/actions.ex:93: AshAuthentication.AddOn.Confirmation.Actions.store_changes/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation.ex:150: AshAuthentication.AddOn.Confirmation.confirmation_token/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation/confirmation_hook_change.ex:329: anonymous fn/5 in AshAuthentication.AddOn.Confirmation.ConfirmationHookChange.maybe_perform_confirmation/4
  (ash 3.4.64) lib/ash/changeset/changeset.ex:4079: anonymous fn/2 in Ash.Changeset.run_after_actions/3
  (elixir 1.18.1) lib/enum.ex:4964: Enumerable.List.reduce/3
  (elixir 1.18.1) lib/enum.ex:2600: Enum.reduce_while/3
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3557: anonymous fn/3 in Ash.Changeset.with_hooks/3
  (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:1400: anonymous fn/3 in Ecto.Adapters.SQL.checkout_or_transaction/4
  (db_connection 2.7.0) lib/db_connection.ex:1756: DBConnection.run_transaction/4
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3555: anonymous fn/3 in Ash.Changeset.with_hooks/3
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3699: anonymous fn/2 in Ash.Changeset.transaction_hooks/2
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3536: Ash.Changeset.with_hooks/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:260: Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4
[debug] QUERY OK db=8.9ms
commit []
↳ anonymous fn/3 in Ash.Changeset.with_hooks/3, at: lib/ash/changeset/changeset.ex:3555
[debug] Replied in 277ms
[info] GET /admin
[debug] Processing with AshAdmin.PageLive.page/2
  Parameters: %{"domain" => "Accounts", "primary_key" => "e5bcff53-e76d-48d5-bf43-f1706b5bec11", "resource" => "User", "route" => [], "table" => ""}
  Pipelines: [:browser]
[debug] QUERY OK source="users" db=0.2ms queue=0.3ms idle=1838.3ms
SELECT u0."id", u0."confirmed_at", u0."hashed_password", u0."email" FROM "org_nsa"."users" AS u0 WHERE (u0."id"::uuid::uuid = $1::uuid::uuid) ["e5bcff53-e76d-48d5-bf43-f1706b5bec11"]
↳ anonymous fn/3 in AshPostgres.DataLayer.run_query/2, at: lib/data_layer.ex:785
[info] Sent 200 in 18ms
[info] CONNECTED TO Phoenix.LiveView.Socket in 29µs
  Transport: :websocket
  Serializer: Phoenix.Socket.V2.JSONSerializer
  Parameters: %{"_csrf_token" => "HRZjAH4yXhUMEB8bQ1EDCjQ0AC8nc39cUz9XSz9efVhh7c7gbvZDEFMl", "tenant" => "org_nsa", "vsn" => "2.0.0"}
[debug] MOUNT AshAdmin.PageLive
  Parameters: %{"domain" => "Accounts", "primary_key" => "e5bcff53-e76d-48d5-bf43-f1706b5bec11", "resource" => "User", "route" => [], "table" => ""}
  Session: %{"_csrf_token" => "HlZX-HgpjFwst24mVBZkb520", "actor_action" => nil, "actor_authorizing" => nil, "actor_domain" => nil, "actor_paused" => nil, "actor_primary_key" => nil, "actor_resource" => nil, "prefix" => "/", "request_path" => "/admin", "tenant" => "org_nsa"}
[debug] Replied in 176µs
[debug] HANDLE PARAMS in AshAdmin.PageLive
  Parameters: %{"domain" => "Accounts", "primary_key" => "e5bcff53-e76d-48d5-bf43-f1706b5bec11", "resource" => "User", "route" => [], "table" => ""}
[debug] QUERY OK source="users" db=1.2ms idle=1308.4ms
SELECT u0."id", u0."confirmed_at", u0."hashed_password", u0."email" FROM "org_nsa"."users" AS u0 WHERE (u0."id"::uuid::uuid = $1::uuid::uuid) ["e5bcff53-e76d-48d5-bf43-f1706b5bec11"]
↳ anonymous fn/3 in AshPostgres.DataLayer.run_query/2, at: lib/data_layer.ex:785
[debug] Replied in 1ms

can you try main again? With mix deps.update ash_authentication

I just did but I’m sorry it is the same, see stack trace below.

Also committed and pushed it to the reproduction.

[debug] HANDLE EVENT "save" in AshAdmin.PageLive
  Component: AshAdmin.Components.Resource.Form
  Parameters: %{"form" => %{"_form_type" => "create", "_touched" => "email,password,password_confirmation", "email" => "maria@nsa.gov", "password" => "[FILTERED]", "password_confirmation" => "[FILTERED]"}}
[debug] QUERY OK db=0.3ms idle=1867.5ms
begin []
↳ anonymous fn/3 in Ash.Changeset.with_hooks/3, at: lib/ash/changeset/changeset.ex:3555
[debug] QUERY OK source="users" db=0.5ms
INSERT INTO "org_nsa"."users" ("id","hashed_password","email") VALUES ($1,$2,$3) RETURNING "hashed_password","email","id","confirmed_at" ["45df00df-8908-496c-a937-eaa07bf02aa8", "$2b$12$z7CfT/Yyi887s3mUfHIJ.ugBiepJbnvSm4ojarjtpwB5jnpCX40sS", #Ash.CiString<"maria@nsa.gov">]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[debug] QUERY OK source="tokens" db=1.8ms
INSERT INTO "org_nsa"."tokens" AS t0 ("subject","jti","purpose","expires_at","created_at","updated_at","inserted_at") VALUES ($1,$2,$3,$4,$5,$6,$7) ON CONFLICT ("jti") DO UPDATE SET "subject" = EXCLUDED."subject", "purpose" = EXCLUDED."purpose", "expires_at" = EXCLUDED."expires_at", "updated_at" = COALESCE(EXCLUDED."updated_at", $8) RETURNING "updated_at","inserted_at","extra_data","purpose","expires_at","subject","jti","created_at" ["user?id=45df00df-8908-496c-a937-eaa07bf02aa8", "30j2c85i6t026ogo4k000503", "user", ~U[2025-03-07 06:43:47Z], ~U[2025-02-21 06:43:47.901819Z], ~U[2025-02-21 06:43:47.901824Z], ~U[2025-02-21 06:43:47.901824Z], ~U[2025-02-21 06:43:47.902563Z]]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[debug] QUERY OK source="tokens" db=0.1ms
INSERT INTO "org_nsa"."tokens" AS t0 ("subject","jti","purpose","expires_at","created_at","updated_at","inserted_at") VALUES ($1,$2,$3,$4,$5,$6,$7) ON CONFLICT ("jti") DO UPDATE SET "subject" = EXCLUDED."subject", "purpose" = EXCLUDED."purpose", "expires_at" = EXCLUDED."expires_at", "updated_at" = COALESCE(EXCLUDED."updated_at", $8) RETURNING "updated_at","inserted_at","extra_data","purpose","expires_at","subject","jti","created_at" ["user?id=45df00df-8908-496c-a937-eaa07bf02aa8", "30j2c85iv8i1gogo4k000536", "user", ~U[2025-02-24 06:43:47Z], ~U[2025-02-21 06:43:47.908962Z], ~U[2025-02-21 06:43:47.908965Z], ~U[2025-02-21 06:43:47.908965Z], ~U[2025-02-21 06:43:47.908990Z]]
↳ AshPostgres.DataLayer.bulk_create/3, at: lib/data_layer.ex:1934
[error] Failed to generate confirmation token
: ** (Ash.Error.Invalid) 
Bread Crumbs:
  > Error returned from: Myapp.Accounts.Token.store_confirmation_changes

Invalid Error

* Queries against the Myapp.Accounts.Token resource require a tenant to be specified
  (ash 3.4.64) lib/ash/error/invalid/tenant_required.ex:5: Ash.Error.Invalid.TenantRequired.exception/1
  (ash 3.4.64) lib/ash/actions/create/create.ex:600: Ash.Actions.Create.set_tenant/1
  (ash 3.4.64) lib/ash/actions/create/create.ex:253: Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4
  (ash 3.4.64) lib/ash/actions/create/create.ex:50: Ash.Actions.Create.run/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation/actions.ex:93: AshAuthentication.AddOn.Confirmation.Actions.store_changes/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation.ex:150: AshAuthentication.AddOn.Confirmation.confirmation_token/4
  (ash_authentication 4.5.1) lib/ash_authentication/add_ons/confirmation/confirmation_hook_change.ex:329: anonymous fn/5 in AshAuthentication.AddOn.Confirmation.ConfirmationHookChange.maybe_perform_confirmation/4
  (ash 3.4.64) lib/ash/changeset/changeset.ex:4079: anonymous fn/2 in Ash.Changeset.run_after_actions/3
  (elixir 1.18.1) lib/enum.ex:4964: Enumerable.List.reduce/3
  (elixir 1.18.1) lib/enum.ex:2600: Enum.reduce_while/3
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3557: anonymous fn/3 in Ash.Changeset.with_hooks/3
  (ecto_sql 3.12.1) lib/ecto/adapters/sql.ex:1400: anonymous fn/3 in Ecto.Adapters.SQL.checkout_or_transaction/4
  (db_connection 2.7.0) lib/db_connection.ex:1756: DBConnection.run_transaction/4
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3555: anonymous fn/3 in Ash.Changeset.with_hooks/3
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3699: anonymous fn/2 in Ash.Changeset.transaction_hooks/2
  (ash 3.4.64) lib/ash/changeset/changeset.ex:3536: Ash.Changeset.with_hooks/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:260: Ash.Actions.Create.commit/3
  (ash 3.4.64) lib/ash/actions/create/create.ex:132: Ash.Actions.Create.do_run/4

No problem, will take a look in the morning thanks!

Investigating now, just want to say thank you for such a detailed and useful reproduction

I feel bad, I just didn’t push the fix up properly last night Only had a few and didn’t realize that the push failed. Anyway, fixed in main, will be released next week

Many thanks Zach!

Happy Friday