I’ve just added the Facebook IdP with “public profile” (default) and “email” privileges (only).
I also added a FB app ID and keys.
When signing up using this provider, I noticed that it doesn’t return the email address. As far as I can tell I have not disabled/disallowed the sharing of my FB email adress, at least as far as I can tell (in the FB settings jungle).
I’ve seen other questions like this on the forum, but none had a definitive answer to them.
I’d really like to know the email at pre-registration to detect duplicate accounts. I know there is the Account Linking extension, but I wouldn’t need it if I can match it during registration. To illustrate, this API call returns either a new or existing ID based on the user’s email address:
Alternatively, is there another way to ask the user email at this point, if/when not provided by the IdP?
UPDATE: Just added Twitter IdP as well. Same thing. Seems like email addresses are not guaranteed to be provided by the IdP. So… is there a way to add a field to the sign-up form for this, even when using an IdP? – Kinda defeats the purpose of using an IdP though…
Hi @StuStu, as you discovered, users have the option to share or hide their email addresses with Auth0 when using Facebook social login (I’m not familiar with Twitter social login in Auth0 but seems to be the same case).
In your test example, you may have some privacy setting enabled in Facebook to disallow sharing email address by default. Alternatively, users can have Facebook accounts with phone numbers only and no email address so that is something to consider as well.
Using the additionalSignUp fields on Classic Universal Login pages are only for database accounts and will not work for social users.
Auth0 recommends something called Progressive profiling to gather additional information about the user post-signup.
In this case, you would need to store the email address the user filled in the custom form into the user_metadata or app_metadata object after returning from the /continue endpoint, so be sure to accommodate for that in other areas of your code / actions.
(i.e. event.user.email || event.user.user_metadata.email)
Alternatively, if all else fails, you can simply deny login for users with no email addresses via the Post-Login flow API Objectapi.access.deny function.
Thanks, I had naively assumed an email address would always be present. Very insightful explanation!
This seems to be putting me on a road where an email address is not required, and account linking is done afterwards (hopefully mostly automagically). As I wanted an email address not to send email, but to identify the same user coming from different IdP’s.
Being a user myself, I love to be able to use a social login, but don’t always remember which one I used. And then hate to end up with more than one account.