Our team is currently evaluating Auth0, everything is looking good so far, although I have a question related to linked accounts.
Our requirements are as follows:
- Users may sign in or register using an email and password.
- When using the email and password based login, only allow sign on if
- Users may sign in or register using one or many social sign ons (Google, Facebook, Microsoft for example).
- Users should only be able to sign in using a social provider account if
truefor that social provider identity.
- When an account is registered, link the account to any existing account that has the same email (with a preference to linking to Auth0 native users).
- The linking process should be transparent to the user (we do not want to use the Account Link Extension).
We are trying to implement this like so:
- In a
Post Loginaction, check if the user used to authenticate has
falsefail the authentication attempt.
- In a subsequent
Post Loginaction, first, check if the user has 1 identity in the
user.identitiesarray (indicating they are unlinked). If they do, search for existing users with the same
user_id, and users with
false), if users are found, link the social login to the found user (with a preference for linking to the Auth0 native user, if it exists).
We wanted to only run the linking right after an account is created, although this doesn’t appear to be supported by Auth0, given the
Post User Registration action is not run when a social provider creates an account, and neither is the
Post User Registration hook.
Is our understanding correct that a social account may only be linked by introducing linking logic to the
Post Login action? Is this the earliest point at which one may link a social account to another account? It would be great if someone could please clarify.
We are also a little concerned about our approach, is there a better way to achieve what we want given our requirements? For instance, imagine a user who only uses the email/password flow to log in, they will always have 1 item in the
user.identities array, which, given our current approach, will always result in a search to see if there are accounts to link. Ideally this wouldn’t happen, and a search would only happen on the users first successful log in attempt.
We’ve come across the
event.stats.logins_count value, but it seems this value is incremented even if a login attempt fails. This results in us being unable to use it to prevent our search/linking action running twice (i.e check if
event.stats.logins_count == 1), since a failure in our first action (which checks if the email is verified), would cause linking to be skipped (once the user has verified their email and attempted to log in again).
Thanks for all the great work you do on Auth0, and thank you so much for any insight or advice.