Disambiguating Amongst Multiple Auth0 Users With Same Email with the Auth0-Returned User Object

The user object returned by useAuth0 (“@auth0/auth0-react”: “^1.12.1”) does not provide the user_id. Therefore, if there are multiple accounts with the same email address, which would occur where a user registered multiply through different social and auth0 connections, I see no way by which the application could know which of the user account has logged in.

I suppose there might be some scenarios where an application would not need to disambiguate between these accounts, treating them collectively, for its purposes, as the same logical user. However, in my case, my backend will be gleaning user details from the user objects returned by the ‘…/users-by-email’ endpoint, which could differ between the connections and, in any event, I would like to maintain an accurate link between my internal user account and an Auth0 user account.

Is there a tenant application configuration for guarding against the registration of multiple accounts with the same email? Otherwise, do you have any suggestions on how to resolve this?

Thanks!

Hi @robertw,

Welcome to the Auth0 Community!

The object returned should include the user’s Auth0 user_id. That object is essentially just the user’s ID token.

Can you share an example of what is returned in that object?

2 Likes

Thanks for getting back. I believe I found the ‘user’ object’s ‘user_id’ property, but for some reason it is being named ‘sub’ on the version of the user object that is retrieved by the useAuth0 function of the @auth0/auth0-react library.

Here is the ‘sub’ property value of one of my test accounts:
auth0|63e54a3012d4e9a01f315f33

const { user, isAuthenticated, getAccessTokenSilently, error, logout, loginWithRedirect } = useAuth0();

Can I rely on the ‘sub’ property as the source of the user ID?

Hi @robertw,

Yes, you can rely on it. The sub claim is the user_id in this context.

This is a convention from Oauth2/OIDC and is short for subject. Your user is the subject of the access token/id token.

Hope that helps!

It is working for me, with the user_id allowing me to retrieve the richer amount of user information readily available from the management API which I call from my resource server

BTW, apologies for my delayed responses as I am not getting email notifications to my O365 tenant. I understand from posts I’ve seen on this forum that there is a system enhancement pending for the Auth0 system to bring it up to the SMTP security progression adopted my MS late last year?

1 Like

Hm, I’m not familiar with this, but happy to look into it if you share a link to your reference.