Linking of accounts seems to exist as well. albeit with separate accounts (there go the stats) and a very complicated setup.
For cases like ours, where social login should be allowed for the ease of the login process but only for previously registered users, it should be enough that a stranger clicks on social login button and gets an error unless an admin had created an username/password account on beforehand with the same e-mail address. Where do I have this list of users - in Auth0 database, that is in https://manage.auth0.com/dashboard/eu/vacilando/users
The concept of creating the users in advance for social connection does not exist in Auth0 as of now.
You can create database users in advance, but they would still be completely separate entities from social logins, even if the email match, so you would need to create a rule to handle the additional logic.
The strategy then could be:
- Create database users in advance (no public signup allowed)
- Add a rule that checks if the user logging in is a social connection user. If so:
- If this user is already linked to a db user, allow the log in normally.
- Check if there’s a user with the same (and verified) email address in the DB connection (you can use API v2’s search-by-email endpoint for this).
- If found, link the identities making the db connection user the primary identity
- If not found, deny authorization