The account linking feature in Auth0 is neat, we certainly intend to use it to solve it to power some of our use cases.
I do however feel it could be made more powerful if it catered for the following scenario.
The goal here is to allow those users to transition from database user accounts to their work (enterprise) credentials without losing their identity within downstream systems. Where possible this would ideally be a process transparent to the user.
- You provision lots of users in a database connection and grant them access to your systems.
- Each system uses the sub from the
id_tokento uniquely identify each user in their system.
- You decide to create an enterprise connection to allow those users to login with their work credentials
- Your users now logon with their work credentials
- Downstream systems continue to recognize them for who they are even though they used different credntials
You can automate this with account linking in a
rule to make the process transparent to the user.
The rule will check to see if your e-mail address matches a
database user. If the emails match then it will link the accounts together. Where the
database user is the
Primary and the
work user is the
Problem 1: Awkward Automation
The problem here is that after that first login (and only the first) with their work credentials the
sub in the
access_token is going to be the sub from their work user. (Because user identity has already been established). Down stream systems will not recognize the user until they subsequently login again and the correct sub is in the JWTs.
You have options:
- Put a separate claim (eg:
my_user_id) in the JWTs to act as the user-id in downstream systems. It’ll work but then we lose some of the natural semantics of the JWT. These are semantics (the sub = user identifier) are important because a lot of consumer frameworks leverage them.
- Force the user to sign-in again after the linking process. It’ll work… but then the process isn’t transparent to the user.
In an ideal world this could be taken care of consistently in the Auth0 platform without the need for developer (me) intervention.
Alternatively though, providing us with the ability to modify things like the sub in rules would at least allow us to control this for ourselves.