Is there a best practice for dealing with local signups when a social user may already exist with the same email address, but I’m not allowed to require email verification for local accounts?
I need to be able to support signups for users who want to create a accounts using either a local Auth0 connection or a social provider. The challenge is that I can’t enforce email verification for local users, and that leads to a massive security hole.
The application I’m dealing with gladly accepts the login from either source, and it will automatically link the users based on email address.
This leads to the security hole where User A signs up with a social login and only uses the social login can and User B registers for an Auth0 local user account with User A’s email address.
One idea would be to create a local user automatically whenever a new social user signs up. This would prevent anyone else from signing up for a local account using the social user’s email address. Is this feasible with a rule? Are there better ways to handling this that don’t require verifying local users’ email addresses?