Do you have a valid link for the auth0 rule "link-users-by-email"?

I am trying to develop a rule that will link users with the same email.

The thing is that all links in the community/Google results in 404’s - do you have a valid link to this rule?

Thanks in advance :+1:

Hi Alex

This rule has been deprecated due to security issues.
Use the account linking extension instead.

John

1 Like

Hi John.

The account linking extension looks promising - I will read more into this. Maybe Auth0 should throw out some redirects?

Hi @john.gateley - do you know if the auth0 extension is actively supported? An issue like this, with no responses from Auth0 makes me a bit scared of implementing it in production?

Uhh - even more depressing with this issue.

In our solution we are only using passwordless and Google auth. Therefore e-mails are always verified. Would that not make automatic account linking safe enough?

Hi Alex,

Yes, the account linking extensions is supported. The official docs are here:

On those threads you posted, the original poster made comments after a cleanup bot had marked the thread as closed. We should have caught it, but I suspect the bot closing it removed it from the radar. If that ever happens, just start a new thread.

I cannot comment on the security of the scenario you are talking about. It avoids the major issue I know of, but I would need a security review before I could give it the thumbs up.

It is vulnerable to the scenario where a few months down the road you add a username/password DB into the equation and then the large security hole is open, unless you remember to come back and fix the rule.

John

1 Like

Thanks so much for answering :pray: I will go ahead with the extension then, and try it out.

Hi @john.gateley - I currently struggle with 2 issues with the account link extension, just mentioning here fyi:

Thanks for your help so far, but I hope I can nail this problem soon :thinking: