Change primary user during post-login action results in Unauthorized


I was wondering if it was possible to “change” the primary user during a post-login action and still authorize the user correctly.

Let’s say I have a user with two identities

  1. Username-Password-Authentication
  2. google-workspace

Using an action, I can unlink the two accounts and then link the Database one to the Google Workspace one, but I get an Unauthorized response. If I then try logging in again everything works correctly.

Is this unsupported or is there some way to do it?

Thanks :slight_smile:

1 Like

Hi @cristiano.piemontese,

Welcome to the Auth0 Community!

Unfortunately, you cannot change the primary user during the authentication flow. This would not work since the user that initiated the login would have submitted their credentials to log in.

Because of this, the secondary identity will need a way to authenticate in between the first authentication which introduces complexity and security issues.

The 401 Unauthorized error you observed is to be expected since the current user was not the same as the initial user that requested access.

Now, could you please clarify if the user’s identities were previously linked?

If so, could you please clarify the reason why you need to perform these steps instead of having the user use their desired account to log in? They should be able to log in with any identity given that it is linked.

I am looking forward to your reply.


1 Like

Hi @rueben.tiow,

Thanks for your answer!

That makes sense and I figured this was the case.

Yes, user’s identities are linked. I am trying to “migrate” users i.e. switch their main identity and secondary identity. I guess the best way to do this would be with a script instead of relying on a post-login action?


1 Like

Hi @cristiano.piemontese,

Thank you for your response.

Yes, I suggest exporting your users using the Management API Create Export users job endpoint and manipulating the exported JSON file to switch their main identities.

When you import the users back into your application, make sure to set the upsert flag to true to update the existing records.

See Bulk User Exports to learn more.

Here are additional resources you may find useful:

Please let me know if you have any further questions.

Thank you.

1 Like

Hi @rueben.tiow!

How are you doing?

I tried your proposed solution but I’m having trouble understanding how I could achieve the identity switch :confused:

When unlinking an identity from an account, a new account is created whose primary identity is the unlinked one. Then when they are linked back, the two accounts are fused into one by adding the linked account as an identity of the primary.

As I understand by reading the documentation, the bulk import can only be used to upsert a subset of user fields, as defined here. Two of the fields that cannot be upserted are

  • user_id
  • identities

If I can’t shuffle identities around how can I perform this linking/unlinking through this interface?

Thank you for your support :pray:

1 Like

Hi @cristiano.piemontese,

Doing well, thank you.

Thank you for your response and for checking this for me.

In this case, you could consider importing just the user’s primary identity with upsert: false; Allowing you to set the user_id and negate the identities property altogether. This will preserve the user’s primary identity, and then from this point, I suggest using Account Linking for the second identity.

This way, the user can continue to log in to their primary account, as usual, and then offered to link their secondary identity with the primary identity.

This way, you essentially mimicked swapping identities.

Does that help?

Thank you.