Earliest point a social login may be linked & preventing duplicate linking attempts

Hi :slightly_smiling_face:

Our team is currently evaluating Auth0, everything is looking good so far, although I have a question related to linked accounts.

Our requirements are as follows:

  • Users may sign in or register using an email and password.
  • When using the email and password based login, only allow sign on if email_verified is true.
  • Users may sign in or register using one or many social sign ons (Google, Facebook, Microsoft for example).
  • Users should only be able to sign in using a social provider account if email_verified is true for that social provider identity.
  • When an account is registered, link the account to any existing account that has the same email (with a preference to linking to Auth0 native users).
  • The linking process should be transparent to the user (we do not want to use the Account Link Extension).

We are trying to implement this like so:

  • In a Post Login action, check if the user used to authenticate has email_verified set to true. If false fail the authentication attempt.
  • In a subsequent Post Login action, first, check if the user has 1 identity in the user.identities array (indicating they are unlinked). If they do, search for existing users with the same email (ensuring we exclude users with the same user_id, and users with email_verified set to false), if users are found, link the social login to the found user (with a preference for linking to the Auth0 native user, if it exists).

We wanted to only run the linking right after an account is created, although this doesn’t appear to be supported by Auth0, given the Post User Registration action is not run when a social provider creates an account, and neither is the Post User Registration hook.

Is our understanding correct that a social account may only be linked by introducing linking logic to the Post Login action? Is this the earliest point at which one may link a social account to another account? It would be great if someone could please clarify.

We are also a little concerned about our approach, is there a better way to achieve what we want given our requirements? For instance, imagine a user who only uses the email/password flow to log in, they will always have 1 item in the user.identities array, which, given our current approach, will always result in a search to see if there are accounts to link. Ideally this wouldn’t happen, and a search would only happen on the users first successful log in attempt.

We’ve come across the event.stats.logins_count value, but it seems this value is incremented even if a login attempt fails. This results in us being unable to use it to prevent our search/linking action running twice (i.e check if event.stats.logins_count == 1), since a failure in our first action (which checks if the email is verified), would cause linking to be skipped (once the user has verified their email and attempted to log in again).

Thanks for all the great work you do on Auth0, and thank you so much for any insight or advice.

1 Like