When user tries to login with Social IdP (Identity Provider) Auth0 creates a new account with oauth2 identity provider for existing primary user account with same email address, but the account with oauth2 IdP has unverified email and it prevents user from logging in using social connection.
I want to enable linking of these different identities with primary account as soon as it’s created (before user attempts to login with social IdP), but not able to determine how I can achieve this.
Should I make use of features like Rules, Actions, Hooks, etc. or there are some settings for this.
I am stuck here, can anyone please help me with this?
I can explain more if needed, and provide required information on the current state of the tenant I am using.
It is possible to link user profiles automatically and here’s a link to our account linking documentation, however please review the disclaimer below before implementing your own solution:
Account linking is advantageous in many ways and can bring great benefits. Though
documentation, samples and guidance is available, current collateral is less than complete when it
comes to the security considerations surrounding account linking: the assumption is made that the
user who authenticated as part of login is the legitimate owner of any accounts to be linked. This
assumption opens up a potential security flaw which is described in the use cases below. Left
undressed this can have serious consequences, resulting in the potential for personal information
loss, denial of service or perhaps worse.
Feel free to reply with any follow up questions and I hope this helps!
@matt.g thanks for the above suggested solution,
I tried it, but seems to be not working for me.
The rule didn’t link user identities before user attempts to login for the first time using social IdP.
Rule exited producing following logs
And social IdP login attempt failed with error Please verify your email before logging in., because of newly created user account with social oauth2 identity which has unverified email since it’s not yet been linked to primary account.
Any thoughts on this, am I doing something wrong here.
If any details required for troubleshooting I can provide.
To clarify, the rule will link accounts during the session in which the user is logging in/signing up via the social IDP for the first time, it can’t link the social identity until a sign up/login action from the user makes it aware of the social identity. After that rule has run the user will have a primary profile (probably from a database connection) and a secondary profile (from the social IDP).
In terms of the email verification block at the top, you can actually comment it out/remove it if it isn’t a requirement for you. This rule is set up to work for several connection types and in some instances it might be valuable to confirm that the user has verified their email address, but it isn’t integral to the account linking process itself.
I hope this helps and please let me know if you have any follow up questions!