I want to ensure that each user account has a unique email address across all connections by linking any duplicated email accounts (e.g. social accounts).
The account link extension only executes for a user’s first login, which is good for Management API rate limit reasons. The auth0-account-link-extension rule will be auto-generated once the extension is enabled and can not be modified. Also, it will only prompt users to link accounts the first time they log in. If they choose to opt out they will not be prompted to link accounts a second time. This could result in multiple accounts on different connections using the same email.
For this reason, it would be better to perform server-initiated account linking similar to the scenario detailed below, to force the user to link their accounts before they are granted access to the site:
Ideally, this implementation would still check if this was the user’s first login (for example, by adding logins_count as a custom claim to tokens) before searching to avoid every single user login triggering user searches on the Management API, which has much more restrictive rate limits compared to the Authentication API.
Another approach with server-initiated account linking would be to allow the user to not link their accounts, but delete the newly created account and redirect the user to log in again with their existing account. Deleting the account will invalidate the user’s session with Auth0 so they should be able to pick a different login method on the Universal Login page and not be automatically signed in again.