A bit more complex use case around account linking

Hello, we probably have rather unique requirements for linking accounts and I’d like to make sure that what we want to achieve is possible with Auth0. So those are the requirements:

  • Users sign up with email/password or a social login provider (Github, Google, …)
  • Users should be able to link social logins to their user profile
  • Linked accounts may have been registered with another email address than the one used for sign up
  • No social account should be linked to more than one user
  • Email addresses should be unique among all databases

So this is the raw idea on how this might be solved:

  1. User signs up using Auth0 on our SPA
  2. User initiates the account linking on the SPA as described in User-Initiated Account Linking: Client-Side Implementation
  3. Frontend merges metadata and uses the management API to update the user’s identities
  4. A rule/hook checks that the social login is not already linked to any other user. Question: Is that possible? Or even necessary (is it allowed to link the same identity to multiple accounts?)?
  5. Another rule/hook checks if that email address is already in use for another account. Question: As I understand account linking works by first creating an account in the social database and then merging that account with the already existing one, is that correct? Is it then even possible to have this constraint for account linking? (let’s assume someone initiates linking another account that uses the same email address, the new account is then created but the merging fails for some reason, wouldn’t we then have two accounts with the same email address?) Is there a way to circumvent this?

Hi @eosn-fred

This strategy should work, with a couple of modifications.

You can link any two accounts (even accounts that have been linked before), and the result is a single account with ALL of the other accounts linked. You will see them all in the user’s identities array.

Both accounts must exist before linking (and you should make the user authenticate to both accounts before linking). So, you cannot have a case where the email address is in use for a different account.

John

Okay, so just to make sure. Let’s say a user signs up using email/password with foo@example.com and then links a foo@facebook social login (so foo@example.com and foo@facebook are now merged in the auth0 database). Now the user signs up again with bar@domain.net and links foo@facebook as well to that account. So we now have one database entry that links all 3 accounts: bar@domain.net, foo@example.com and foo@facebook (as the last 2 were already linked), is that correct?

Okay so but if both accounts musts exist, then there might exist 2 accounts (before merging) with the same email address, right? So I cannot really use a hook/rule to enforce unique email addresses among multiple databases? Is there a way to circumvent this? For example having a rule/hook set some metadata flags for accounts that are created by user initiated linking only?
So for example a user logs in with his email/password, initiates linking with a github account that uses the same email address, but the created account has some metadata like active=false (so basically this is not a valid account until it’s metadata is properly merged). That way we could prevent logging in with github (until linking is done) and therefor wouldn’t care about the duplicate email address.

You can link any number of accounts, correct.

There may exist two accounts before merging with the same email address BUT within a single DB connection, all emails must be unique. For example, user foo@example.com might have a email/password account (DB connection) and also a facebook account with the same address.
So why are you trying to enforce uniqueness?

I am not following “accounts that are created by user initiated linking”. This sounds like a security hole. You should ONLY link already created accounts. And you should require authentication to both accounts before linking. There is a small detail here: the first time a user logs in to a social account, that account profile is created in Auth0. This is normal.

I am not following your github example. The flow would be:

  • User logs in with email/password
  • User goes to profile section of dashboard and clicks “link github account”
  • User is redirected to sign in with github credentials
  • dashboard backend links the two accounts via management API

Or

  • User signs in with email/password.
  • Some time later: user signs in with github credentials
  • Auth0 rule detects that the two accounts share the same email address
  • Rule asks user to sign in with email/password
  • Rule then links the two accounts.

John