I have crawled through some of the similar forum posts relating to this question but I can’t seem to find a clear path to manage the above.
For example we often have users who no longer want to sign in via google (or no longer have access) and want to switch to an email/password connection.
We have observed that on occasion social login customers can request a reset password, after receiving this they can login and their account is linked via account linking. However, this isn’t the case for all customers (many cannot receive reset emails) so it’s creating confusion on how this should be handled.
What is the correct way to handle requests like these in auth0?
Social connection users should not be able to reset their passwords on your application. They can only do so from the Social IdP (e.g., Google).
If some of these users were able to reset their passwords on your application while others were not, then it seems that the ones who could already have an email and password account.
Could you please clarify if you intend to continue linking accounts?
Thanks for getting back to me - I had a look and you’re right, users who have been able to request a reset password were already initially connected via username/password connection.
We do intend to continue using linking accounts. We just need to understand how to best serve customers that need to switch from social to username/password?
If you would like to continue using account linking, you can serve customers who would like to switch from social to email+password by having them sign up with an email and password.
After the user has created their account while account linking is active, they will be prompted to link their secondary account (email + password) with their primary account (social). This is also mentioned here.
Let me know if there’s anything else I can do to help.