Account-replacing instead of account-linking

pgomez · December 30, 2020, 8:43pm

Where account-linking provides a way to link 2 accounts, our goal is to completely replace an account with another.

The problem:
Social accounts are not created until an attempted login with that idp. We therefore are unable to assign roles/permissions to that user. We are not interested in allowing that user to login via username/password, and we don’t want to require our admins to have to wait to assign roles to a user until after that user has logged in.

The Idea:
We create the username-password account, assign it roles/permissions, but do not give anyone access to log into this account. When the user with that same email attempts to authenticate with a given idp, Auth0 automatically creates that social account. We modify the account-linking rule to transfer roles from the username-password account to the social account, then delete the username-password account.

Has anyone attempted something like this before?
Any opinions/insights on the proposed strategy?

Thanks!

john.gateley · December 31, 2020, 3:56pm

Hi @pgomez

Yes, I have implemented this specific solution (though for a different use case) and it works.

Some notes:

Put the pre-provision users in their own DB connection. This connection should NOT be used by any application so there is no way to log in using this connection
You can either copy OR LINK the social account to the account in the DB connection. Since the DB connection does not allow logins, it doesn’t really matter.

John