Internal only. This page is for Juno support staff. For user-facing guidance, see Login Issues. Auth architecture overview
Juno uses Firebase Authentication as the identity layer, with MongoDB storing user records linked by Firebase UID.
JWT claims issued on login:
{
"uid": "<firebase_uid>",
"tid": "<tenant_id>",
"role": 1,
"support": 0,
"domainRoles": {},
"actor": null
}
Diagnosis flow
Step 1 — Identify the auth method
Ask the user or check Admin → Users → [User] → Auth Provider:
password — email/password via Firebasegoogle.com — Google OAuthlinkedin.com — LinkedIn OAuthsaml.* — SAML/SSO
The fix path differs by provider. SSO users cannot use the email/password reset flow.
Step 2 — Check Firebase
- Open Firebase console → select the correct project (each environment has its own)
- Navigate to Authentication → Users
- Search for the user’s email
- Confirm: user exists, correct tenant, UID matches MongoDB record
Most common misconfiguration: user was created under the wrong tenant. The tid in Firebase custom claims must match the org slug in MongoDB.
Step 3 — Check MongoDB user record
// In MongoDB shell or Compass
db.users.findOne({ email: "user@example.com", tid: "org-slug" })
| Field | Expected | Problem if wrong |
|---|
inactive | false | true = deactivated, role is effectively 99 |
role | 1–6 | 99 = blocked, sees nothing after login |
tid | matches org slug | wrong org = user can’t see org content |
firebaseUid | matches Firebase UID | mismatch = JWT claims won’t resolve |
Common scenarios
Scenario A: User can’t log in — “email or password incorrect”
- Firebase error
auth/user-not-found → user doesn’t exist in Firebase for this tenant
- Check if user exists under a different tenant
- If yes: either re-invite under correct tenant or update tid
- Firebase error
auth/wrong-password → user exists but wrong password
- Have user use Forgot Password flow
- If reset email doesn’t arrive: check SendGrid delivery logs for bounces/blocks
- No Firebase error but login fails → check MongoDB
inactive field
Scenario B: Reset email not arriving
- Check SendGrid delivery logs → look for bounce, block, or spam report
- Verify the email address in Firebase matches exactly (case-sensitive comparison)
- Check user’s spam folder
- SSO users: they have no Firebase password — they must use SSO. Attempting password reset for an SSO user will appear to succeed but the email won’t work.
Scenario C: User sees blank screen after login
Role 99 or inactive: true — user can authenticate but the app returns no content.
To reactivate via Admin UI:
Admin → Users → [User] → Actions → Reactivate
This updates both MongoDB (inactive: false) and Firebase (re-enables auth). Do not update only one — a sync mismatch causes intermittent failures.
Scenario D: JWT role mismatch (user’s role changed but old role persists)
JWT is issued at login and cached. After a role change:
- User must log out and back in to get a new JWT with the updated role
- If impersonation is active, the
actor claim in the JWT reflects the impersonator — not a bug
Admin actions reference
| Action | Where | Effect |
|---|
| Change Role | Admin → Users → [User] → Edit | Updates MongoDB role |
| Deactivate | Admin → Users → [User] → Deactivate | Sets inactive: true, disables Firebase auth |
| Reactivate | Admin → Users → [User] → Reactivate | Sets inactive: false, re-enables Firebase auth |
| Delete User Auth | Admin → Users → [User] → Delete | Removes Firebase UID — user can re-register with same email |
| Impersonate | Admin → Users → [User] → Impersonate | Sets actor claim in JWT, logs support action |
Support level requirements
| Action | Min support level |
|---|
| View user details | 2 |
| Reset password / change role | 2 |
| Create tenant / delete auth | 3 |
| Impersonate any user | 10 |
Last modified on March 26, 2026
