Forgot Password auto creates a new DB account for social login

I’ve seemed to stumbled upon what seems like a bug.

  • Create 2 connections in your tenant: Google & a DB connection
  • Create an app using the 2 connections

(for the login page I simply used universal login)

  • in Auth0 look at your “Users” you have none
  • Launch the login screen & login with Google
    • Auth0 > Users: Now has 1 user in the Google connection
    • Take note of the user ID (e.g. “google-oauth2|1234”)
  • Go back to your app and log out
  • Use the “forgot your password” which will switch to the form that accepts an email address
  • Enter in the email of your google account

I would expect to NOT get an email for this account since it is a social account. So technically the email address I entered should not exist as the password reset should only apply to users in a DB connection (as per my reading of the docs).

  • Go check your email inbox and you will have gotten a “reset your password” email from Auth0

This seems wrong, but hey, you got an email, so why not move forward.

  • Click the “Reset Password” button
  • You’ll load up the change password page from Auth0
    • Auth0 > Users still only has 1 user
  • Set a password and confirm it
    • Auth0 > Users still only has 1 user
  • Now back at the login screen, instead of logging in with google, enter your google email & the password you just created
  • TADA. You logged in!

If you look at Auth0 > Users you now have a new user created under the DB connection. They seem to be a copy of the social one as the user ID is the same ID as the social one prefixed with “auth0|”.

I first wondered if our tenant had some odd auto-linking/merging feature enabled. So I tried the above with a new tenant and was able to reproduce it as well. This seems like a bug to me, if it is expected behavior can anyone point me at documentation that explains this so I can come up with a plan in our app to deal with these duplicate accounts.