Currently have a working web app with auth0 identity. I want to add social login FB, Google, Apple for the purposes of creating new account and logging into existing ones. The social account create process seems straight forward. My concern is should I create a way to leverage social login that will enable access to existing accounts in the event the email address is the same?
For example consider I am known to my app as: email@example.com
That email address is also my facebook account email.
If I try to social login should that just allow me to access that account? That seems like a security loophole without having to first authorize/connect that identity to my existing account? If I need to enable a user to “connect” social to their account, that is where I am in need of some guidance.
Is it acceptable or best practice that I only allow social login for new accounts being created using social login vs entering a password when creating an account? When an account has been created using a social login - should that user be able to self-service reset their password or are they restricted to using their social login? If they are not able to social login have they simply lost access to their account?
If you’ve implemented social login, how are you handling these situations?