Account Linking Extension and Enforcing Unique Email Addresses

Last modified: Oct 16, 2024

Overview

This article explains whether it is possible to enforce unique email addresses across all connections by linking any duplicated email accounts (for example, social accounts).

Applies To

  • Email addresses
  • Connections
  • Duplicate accounts

Cause

The account link extension only executes for a user’s first login due to Management API rate limit reasons.

  • This can be seen in the auto-generated rule the extension installation creates (this should NOT be modified).
  • If the user declines, they must log in for the first time with a new account to trigger the linking again.

Solution

If the linking function is essential for the required use case, users cannot have the option to “opt-out” of the account linking and, therefore, cannot use the extension.

  • Customers who need to enforce account linking, for example, if email addresses must be unique across users, cannot rely upon the extension as it only runs on the first login for a given account and gives the user an option to not link the account.
  • This can result in multiple accounts on different connections using the same email address without being prompted to be linked a second time.

For this reason, it would be better to perform server initiated account linking to force the users to link their accounts before they are granted access to the full site.

This implementation should still check if this was the user’s first login (for example, by adding logins_count as a custom claim to tokens) before searching to avoid every single user login triggering user searches on the Management API, which has much more restrictive rate limits compared to the Authentication API.

Another approach with server-initiated account linking would be to allow the user not to link their accounts but to delete the newly created account and redirect the user to log in again with their existing account. Deleting the account will invalidate the user’s session with Auth0. They should be able to pick a different login method on the Universal Login page and not be automatically signed in again.