Problem statement
We are going through a GSuite migration, where users from the pre-existing parent company GSuite account are being extracted into a new account, maintaining the same email addresses. A big bang cutover is being planned, where all the user accounts will be deleted from the old account and created in the new account. As these will be new accounts in Google, each user will have a new user_id in Google.
My question is, how will these users be treated when they log in through Auth0’s Social google-auth2 connection?
Will Auth0 treat it as the same user logging in (as the email address is the same) and in effect merge the account and permissions, or will it treat it as an entirely new user that just happens to have the same email address as another user?
If it’s the latter, is there a way to configure Auth0 to treat these as the same user?
Symptoms
- Duplicated user accounts
- Missing roles or metadata
- Concerns about upcoming G-Suite migration
Cause
-
Auth0 will see a user who logs in on a Google connection as a completely new user if the attribute that Google returns which is being mapped to user_id, is different from the one already stored in Auth0.
-
For a Google Social connection, the user will likely have a different Google ID after the migration of their G-Suite - (but this is not confirmed - best to ask Google Support)
-
For a Google Enterprise connection, if the user retains their original email address, they should be able to log in as normal, unless the option to use Google ID for user_id has been enabled, in which case it could be impacted with the same issue mentioned above.
Solution
We recommend that you determine what is being used from the Google response as the Auth0 user_id, to work out whether users will be able to keep logging in as the same Auth0 user account post-G-Suite migration or will be seen as new accounts.
If this is changing, then account linking could be used to match up the old account with the new one created upon their first login as the new G-Suite entity. Note that as the old account will no longer be accessible to the end user, this account linking must be done server-side. Check out the resource below:
Alternatively, if the Google Enterprise connection is being used, there is an option to enable the Auth0 User ID feature when creating the connection.