Feature:
Today, the Linking Accounts does not take into consideration only the applications’ connections (databases)
Description:
I have opened an issue in the auth0-account-link-extension but I will also post it here, as it seems that the code is not being maintained.
I found a situation that in my humble opinion is a bug.
The thing is: when the rule code looks for users with the email (link.js#L202) it does not take into consideration the databases(connections) that are enabled for the current application that is being used. It searches for the user in all the databases (that could be of other not related application) and shows the user the linking page.
Example: We have two different applications (eg. Run and Walk) that have different databases (e-mail/password). The user can have accounts in both applications, but they are different users. If we add a social connection (database) for one of the applications (eg. Run) and the user tries to log in, it looks in both databases (Run and Walk) for the user with email. But it should not, as databases are only associated with their own application (Run app → Run database and Walk app → Walk database).
Even if we edit the rule to filter out the users in databases not associated with the current application (by getting the application ID (client_id) from the query, called the connections API (GET /api/v2/connections) and removed from the user list all the users from databases that were not associated with the desired application.) it does not work correctly.
In the extension code the matching users are listed from all the connections(code from get_index.js), just like is done in the rule code.
So, this causes a lot of problems we have a user with the same email in databases that are not associated with the current application. IMHO, the search by email should respect the connections that are enabled for the application.
I hope my explanation is clear, if you have any questions, please let me know.
(version used: Auth0 Account Link Version 2.6
Use-case:
We have many applications on one tenant. Each has its own auth0 database. We were trying to add a social connection to one of them, but as I mentioned earlier, it is trying to link to the users in other applications that do not have the social connection associated.