We face the exact same “Unable to deserialize user after prompt” issue when redirecting from rules/actions and linking an email connection identity to a existing db user.
In the original topic:
In this situation, we recommend linking the users after the redirection (after the /continue endpoint) has completed and using user_metadata flags to determine if the user satisfies for account linking. This way, the system is able to determine the user_id.
This fixes the “deserialize” error. However the sub in the access token is the now non-existing user’s. Also there is no session in browser (login page promted) and using the refresh token returns:
{
"error": "invalid_grant",
"error_description": "The refresh_token was generated for a user who doesn't exist anymore."
}
The final comments in the original topic:
Lastly, I found that this is a known issue, and we have an item included in our backlog to address this problem. However, I cannot provide any ETA as to when this item will be fixed.
Is this behaviour going to be changed at some point or is it simply not supported to link users during the authentication flow (unless the primary user is the authenticated one)?
Or in this case you would not want to do it at all. Only way that I can think to get the behaviour we wan’t is to not link to user but simply track in metadata or outside auth0 that these identities are of the same user. In the tokens I can only think a custom “primaryUserId” claim would be needed as otherwise the client applications would treat the user completely different.
My understanding is that account linking via Rules has a known vulnerability in it, this is why it was removed from our Rule samples. At this moment in time, I would suggest either waiting for the Actions release or implementing your other workaround depending on urgency of your requirements.
We have the issue documented here very briefly https://auth0.com/docs/manage-users/user-accounts/user-account-linking#precautions but to provide a bit more context the assumption is made that the user who authenticated as part of login is the legitimate owner of any accounts to be linked. This assumption opens up a potential security flaw as a malicious user could use the same email address to register and create a scenario where that account is now linked to the initial account which may have been via a social connection so one should request authentication for both accounts before linking occurs.
Ok, sounds to me there is no vulnerability in the feature itself but rather that it allows you to shoot in your own foot.
Based to some other Community discussion we might hear about the account linking in actions pretty soon as it should be available before Rules being depricated from new tenants.
Maybe the new linking requires to have both the secondary and primary authenticated before allowing the linking (should be doable in Auth0 side - maybe). Interested to see how it turns out…