Hello, we probably have rather unique requirements for linking accounts and I’d like to make sure that what we want to achieve is possible with Auth0. So those are the requirements:
- Users sign up with email/password or a social login provider (Github, Google, …)
- Users should be able to link social logins to their user profile
- Linked accounts may have been registered with another email address than the one used for sign up
- No social account should be linked to more than one user
- Email addresses should be unique among all databases
So this is the raw idea on how this might be solved:
- User signs up using Auth0 on our SPA
- User initiates the account linking on the SPA as described in User Initiated Account Linking - Client-Side Implementation
- Frontend merges metadata and uses the management API to update the user’s identities
- A rule/hook checks that the social login is not already linked to any other user. Question: Is that possible? Or even necessary (is it allowed to link the same identity to multiple accounts?)?
- Another rule/hook checks if that email address is already in use for another account. Question: As I understand account linking works by first creating an account in the social database and then merging that account with the already existing one, is that correct? Is it then even possible to have this constraint for account linking? (let’s assume someone initiates linking another account that uses the same email address, the new account is then created but the merging fails for some reason, wouldn’t we then have two accounts with the same email address?) Is there a way to circumvent this?