I was wondering if it was possible to “change” the primary user during a post-login action and still authorize the user correctly.
Let’s say I have a user with two identities
Using an action, I can unlink the two accounts and then link the Database one to the Google Workspace one, but I get an Unauthorized response. If I then try logging in again everything works correctly.
Is this unsupported or is there some way to do it?
Unfortunately, you cannot change the primary user during the authentication flow. This would not work since the user that initiated the login would have submitted their credentials to log in.
Because of this, the secondary identity will need a way to authenticate in between the first authentication which introduces complexity and security issues.
The 401 Unauthorized error you observed is to be expected since the current user was not the same as the initial user that requested access.
Now, could you please clarify if the user’s identities were previously linked?
If so, could you please clarify the reason why you need to perform these steps instead of having the user use their desired account to log in? They should be able to log in with any identity given that it is linked.
Yes, user’s identities are linked. I am trying to “migrate” users i.e. switch their main identity and secondary identity. I guess the best way to do this would be with a script instead of relying on a post-login action?
I tried your proposed solution but I’m having trouble understanding how I could achieve the identity switch
When unlinking an identity from an account, a new account is created whose primary identity is the unlinked one. Then when they are linked back, the two accounts are fused into one by adding the linked account as an identity of the primary.
As I understand by reading the documentation, the bulk import can only be used to upsert a subset of user fields, as defined here. Two of the fields that cannot be upserted are
If I can’t shuffle identities around how can I perform this linking/unlinking through this interface?
Thank you for your response and for checking this for me.
In this case, you could consider importing just the user’s primary identity with upsert: false; Allowing you to set the user_id and negate the identities property altogether. This will preserve the user’s primary identity, and then from this point, I suggest using Account Linking for the second identity.
This way, the user can continue to log in to their primary account, as usual, and then offered to link their secondary identity with the primary identity.
This way, you essentially mimicked swapping identities.