Account-replacing instead of account-linking

Where account-linking provides a way to link 2 accounts, our goal is to completely replace an account with another.

The problem:
Social accounts are not created until an attempted login with that idp. We therefore are unable to assign roles/permissions to that user. We are not interested in allowing that user to login via username/password, and we don’t want to require our admins to have to wait to assign roles to a user until after that user has logged in.

The Idea:
We create the username-password account, assign it roles/permissions, but do not give anyone access to log into this account. When the user with that same email attempts to authenticate with a given idp, Auth0 automatically creates that social account. We modify the account-linking rule to transfer roles from the username-password account to the social account, then delete the username-password account.

Has anyone attempted something like this before?
Any opinions/insights on the proposed strategy?


Hi @pgomez

Yes, I have implemented this specific solution (though for a different use case) and it works.

Some notes:

  • Put the pre-provision users in their own DB connection. This connection should NOT be used by any application so there is no way to log in using this connection
  • You can either copy OR LINK the social account to the account in the DB connection. Since the DB connection does not allow logins, it doesn’t really matter.