Hi
Our team is currently evaluating Auth0, everything is looking good so far, although I have a question related to linked accounts.
Our requirements are as follows:
- Users may sign in or register using an email and password.
- When using the email and password based login, only allow sign on if
email_verified
istrue
. - Users may sign in or register using one or many social sign ons (Google, Facebook, Microsoft for example).
- Users should only be able to sign in using a social provider account if
email_verified
istrue
for that social provider identity. - When an account is registered, link the account to any existing account that has the same email (with a preference to linking to Auth0 native users).
- The linking process should be transparent to the user (we do not want to use the Account Link Extension).
We are trying to implement this like so:
- In a
Post Login
action, check if the user used to authenticate hasemail_verified
set totrue
. Iffalse
fail the authentication attempt. - In a subsequent
Post Login
action, first, check if the user has 1 identity in theuser.identities
array (indicating they are unlinked). If they do, search for existing users with the sameemail
(ensuring we exclude users with the sameuser_id
, and users withemail_verified
set tofalse
), if users are found, link the social login to the found user (with a preference for linking to the Auth0 native user, if it exists).
We wanted to only run the linking right after an account is created, although this doesn’t appear to be supported by Auth0, given the Post User Registration
action is not run when a social provider creates an account, and neither is the Post User Registration
hook.
Is our understanding correct that a social account may only be linked by introducing linking logic to the Post Login
action? Is this the earliest point at which one may link a social account to another account? It would be great if someone could please clarify.
We are also a little concerned about our approach, is there a better way to achieve what we want given our requirements? For instance, imagine a user who only uses the email/password flow to log in, they will always have 1 item in the user.identities
array, which, given our current approach, will always result in a search to see if there are accounts to link. Ideally this wouldn’t happen, and a search would only happen on the users first successful log in attempt.
We’ve come across the event.stats.logins_count
value, but it seems this value is incremented even if a login attempt fails. This results in us being unable to use it to prevent our search/linking action running twice (i.e check if event.stats.logins_count == 1
), since a failure in our first action (which checks if the email is verified), would cause linking to be skipped (once the user has verified their email and attempted to log in again).
Thanks for all the great work you do on Auth0, and thank you so much for any insight or advice.