Auth0 Home Blog Docs

Consistent User Id (sub) with account linking



The account linking feature in Auth0 is neat, we certainly intend to use it to solve it to power some of our use cases.

I do however feel it could be made more powerful if it catered for the following scenario.


The goal here is to allow those users to transition from database user accounts to their work (enterprise) credentials without losing their identity within downstream systems. Where possible this would ideally be a process transparent to the user.


  • You provision lots of users in a database connection and grant them access to your systems.
  • Each system uses the sub from the access_token or id_token to uniquely identify each user in their system.
  • You decide to create an enterprise connection to allow those users to login with their work credentials
  • Your users now logon with their work credentials
  • Downstream systems continue to recognize them for who they are even though they used different credntials

You can automate this with account linking in a rule to make the process transparent to the user.

The rule will check to see if your e-mail address matches a database user. If the emails match then it will link the accounts together. Where the database user is the Primary and the work user is the Secondary account.

Problem 1: Awkward Automation

The problem here is that after that first login (and only the first) with their work credentials the sub in the id_token and access_token is going to be the sub from their work user. (Because user identity has already been established). Down stream systems will not recognize the user until they subsequently login again and the correct sub is in the JWTs.

You have options:

  • Put a separate claim (eg: my_user_id) in the JWTs to act as the user-id in downstream systems. It’ll work but then we lose some of the natural semantics of the JWT. These are semantics (the sub = user identifier) are important because a lot of consumer frameworks leverage them.
  • Force the user to sign-in again after the linking process. It’ll work… but then the process isn’t transparent to the user.


In an ideal world this could be taken care of consistently in the Auth0 platform without the need for developer (me) intervention.

Alternatively though, providing us with the ability to modify things like the sub in rules would at least allow us to control this for ourselves.