We’ve been using Passwordless login (on a Hosted Page/Universal Login) for a few months now and have decided to implement an embedded login form our-side via auth0.js, to provide both Passwordless and Database (e-mail/password) login options to our users.
This question is related to the solution mentioned here:
But instead of removing our Passwordless login, we’d wish to keep both. I understand we can use the Import/Export extension to get a list of Passwordless users and import them to our Database connection (worked fine in our staging tenant) - however, this doesn’t solve the situation for future users who decide to
login via a magic link in the future. If a user decides to do that, then in order to gain access via a password they’d have to perform an independent sign up and link their accounts, correct?
Is there an easy way to keep all users’ e-mails linked (we also provide Google and Slack logins) across auth providers? So that when a user has already logged in via Google’s OAuth, they could send themselves a password reset link (as opposed to going through the sign up flow)? I’m guessing the Management API will come into play and we’d have to ourselves hook into every signup and walk through our existing users to find if the e-mail doesn’t already exist in the Database with a password and if not, enter the user’s e-mail into it?
Correct. From the management perspective, these are two different identities that you can link to get the same user id in both login types.
I’m not completely sure I get the question a 100%, but a few pointers:
The password reset link is only valid for Auth0’s database connections. Password reset for social logins should be handled directly with the identity provider.
We provide automatic account linking for users with the same email address using rules. Take a look at the “Link Accounts with Same Email Address” template when creating a new rule.
By using the rule, you would be able to offer both login options (password or passwordless), and have the application receive a unified user_id even if the user chose different login methods. Note that the rule will only link accounts once the email address has been verified.
What I meant was that when a user signs up with a social login, they wouldn’t (later) have to sign up separately with the password flow and we could somehow create a situation where they can use a “Reset password” link to request a first-time password for their (already existing) email-password account.
Could I maybe use the auth0.js SDK’s Management API to create a shallow user with just the e-mail into the username-password database?
We would like to avoid the auth0-side account linking flow as much as possible, since it’s currently proven to be pretty confusing for our users and has resulted in multiple/duplicated accounts on occasions.
You won’t be able to use the management API v2 to create a user directly from the browser side using Auth0.js, but if you feel this flow could help users you can create the DB users using a rule when the user first uses a passwordless email connection (or any other connection for that matter, as long as you have a valid email address) and generate a very hard to guess password. You can use the context.stats.loginsCount === 1 check to detect the first time a user logs in, and context.connectionStrategy to check the type of connection.
Personally, I think this could end up being more confusing than helpful, as this flow will require users will be clicking on “Forgot your password” link when then never created the password in the first place. So maybe some additional explanation in the login page could work better (like “if you never used a password login use the Sign Up tab” or something to that effect).