Ask existing account to authenticate with another identity provider (and other NemID questions)

I’m creating an application in which users may optionally verify their identity using the Danish NemID system.

I’ve seen that Auth0 supports authentication with NemID through Criipto, which seems reasonable, but I’m unsure if Auth0 supports asking an existing user, who has already authenticated using one identity provider, to authenticate with a second identity provider.

I’ve found the documentation on User Account Linking, but from what I can see, this only supports linking two existing accounts together. I want users to be able to authenticate with other social identity providers, and then further authenticate with NemID, which doesn’t seem to match what account linking is used for.

How can I prompt an existing account, which has authenticated using e.g. Facebook, to also authenticate with NemID (and hopefully link these two “accounts”)?

This is possibly in the documentation somewhere, but I haven’t been able to find it.

I have two further questions, but I’m unsure if this is related to Auth0 or the NemID provider, being Criipto. I’ll take my chances and ask here first.

Criipto provides various legal information about the user, which is linked to their SSN and thus legally verifyable, will Auth0 provide this information as part of the identity metadata?

Are NemID identities unique? E.g. if account A further authenticates with NemID, and account B attempts to authuenticate with NemID using the same credentials, will the authentication attempt be rejected?

Thanks in advance.

Hey @wizhi - welcome to the Auth0 Community!

In order to link two accounts, both of them need to exist within Auth0. In order for it to exist, as you have now figured out, a federation must happen.

In order to force a login while a session already exists in Auth0, you can use the prompt=login parameter in your /authorize request. This will prompt the user for logging in once again, even when a session already exists.

Let me know if this helps to support your query.

Hi @joseantonio.rey,

Thanks for the reply.

I think you might have misunderstood my intention - or maybe I’m misunderstanding the documentation. :slight_smile:

In the documentation for the prompt parameter of the /authorize endpoint, it says to see the associated remarks, which state:

Silent authentication lets you perform an authentication flow where Auth0 will only reply with redirects, and never with a login page. When an Access Token has expired, silent authentication can be used to retrieve a new one without user interaction, assuming the user’s Single Sign-on session has not expired.

I think the inteded usage for this would be refreshing the token of an active session.
Setting prompt=login would, from your explanation, prompt the user to login using the interface of the specified connection, correct?

That’s not what I’m actually looking for.

I’m looking for a way, in which I can have an existing account perform an authentication request to another identity provider, resulting in the existing account being automatically linked to the “newly created” account.

Since creating this thread, I did stumble upon this legacy endpoint, which does exactly what I want.
The problem is, however, that it’s been deprecated for security reasons, which is fair.

I’ve personally come to the conclusion that Auth0 simply doesn’t support this anymore, and I need to work around it.

My current idea would be something like…

  1. User initially authenticates using IdP A, resulting in the creation of Account A
  2. Save access token of Account A in a semi-persistent storage of my application, such as a cookie
  3. Initiate a new authentication flow for IdP B, resulting in the creation of Account B
  4. The authentication flow will eventually redirect back to my application, with the access token for Account B
  5. Detect that an access token already exists in my application’s storage
  6. Link the account of the existing access token with the account of the new access token using the Management API (meaning I need to setup a proxy request), meaning Account A is the primary account, with Account B being the secondary account
  7. Discard the new access token, since this should be for the secondary account which, according to Auth0 logic, no longer actually exists
  8. Have the user continue to use the old access token, which now belongs to the linked account

Honestly this is messy, and requires the client to be far more involved, which I find particularly annoying.

I haven’t implemented the actual client in this case either, but have been given the task of adding the NemID authentication integration to existing accounts, so I’m unsure if the auth0.js SDK even supports this flow, or if we need to add more custom things for it.

If you can think of any way to make this more streamlined, I’d highly appreciate it.
Again, the sadly deprecated endpoint in question does exactly what I want, and I wish there was something to replace it.

Thank in advance.

Hello, @wizhi,

Aha, that makes sense. Indeed, the flow that you are describing is exactly what you would need to do in this case.

What I was mentioning with the prompt=login is that you can leverage that to force step 3, instead of having the user log out and log back in.

What you have described, though, is on point.