I have two Auth0 users with emails joe@badgers.com and jane@badgers.com. Our Drupal 8 installation is linked with Auth0 (using email addressed to link the two.) Both Joe and Jane can login (using offsite login at Auth0), but regardless of which of the two does, in Drupal, Joe’s account ends up being logged in.
I traced the problem to the auth0_drupal table. Jane and Joe each have a record with a unique auth0_id that matches Auth0’s. But in the drupal_id field, both records are Joe’s Drupal ID.
So now I know how to fix the issue, but am concerned about how these two ended up pointing to the same Drupal user ID. If this is a bug, could some random user get linked with one of the admin accounts, and get god access to our entire universe?