I am having an issue with the management API and 3rd party IDPs with brand new users.
When a user decides to log in with a 3rd party IDP for the first time, we query Auth0 for all users that have the same email as the one that has just logged in. For that, we use the GET /api/v2/users search endpoint with the users email because, as for reasons stated in Search for Users by Email with Auth0 Management API Endpoint , the GET /api/v2/users-by-email endpoint is case sensitive which doesn’t work in this use case as some IDP providers format their users emails like Firstname.Lastname@example.com.
However, as for reasons stated in User search sometimes does not return newly created users , the results of the search function are not immediately consistent. So the brand new user that was just created by a user logging in with their 3rd party IDP for the first time, sometimes doesn’t show up in the search results.
So we now have a scenario where if I want to get all users with a particular email right after a new one has just been created with the same email, I have to query GET /api/v2/users-by-email endpoint with the email with capital letters, and then again with all lower case to get all of the Auth0 IDP users. (And even then, if the users email was somehow formatted like firstName.lastName@example.com for whatever reason, that account would slip through the cracks)
Is there a better way to approach this that I’m missing? I feel like this workflow would be easily solved if GET /api/v2/users-by-email had an optional ignoreCase flag that could be sent with the request.
The official recommended way for performing account linking server side (which is what we are doing) also runs into the email case sensitivity problem.
As a side note, It is listed in the official spec “Simple Mail Transfer Protocol” (RFC5321 - Section 4.1.2) that the local part of the email address may be case sensitive. However not a single mainstream email provider implements case sensitivity as it would be way to confusing for the general public (most services that store user emails call .toLowerCase() on them anyway (including Auth0) completely defeating the purpose). So I don’t see why the GET /api/v2/users-by-email endpoint should implement this restriction. Or if there is a reason, it would be awesome if there was a provided option to bypass it for the scenarios which need it.