Preserving an account when allowing provider change

I’m struggling to support the use case where a user initially signs up with a social provider like Facebook and later wants to disconnect from Facebook without losing their account. We’re already supporting linking identities, but if anything is tied to the primary identity’s sub in any of our systems, then allowing them to disconnect from Facebook would mean losing that linkage. It almost seems like we’d need to make a “ghost” account that’s the primary and make any social connection be linked identities so we can add and remove those without altering the sub of the account. That seems like a hack, but it’s not clear how to handle this otherwise. If I allow the user to disconnect their primary identity and promote a linked identity to be the new primary, then the sub of the account changes. Any thoughts?

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

I’ve already built a fairly complicated Rule to create a surrogate Auth0 database account for social signups, linking the social identity to that primary. It solves our problem, but I still can’t believe Auth0 doesn’t provide stable user IDs that aren’t associated with the provider they initial used for signing up. A user ID should not encode implementation details within it; regardless of what connection a user signs up with, a user ID should look like the Auth0 email/password user IDs.

I ended up filing a support request regarding this issue, because I figured I must have been missing something. The response I received indicated that the engineer had never heard of such a request and was surprised that I didn’t want this sort of information leakage. The solution for maintaining a user account created with e.g. Facebook if the user no longer wants that Facebook account associated with their Auth0 account was to let them disconnect it from the Facebook side but leave their Auth0 user ID as facebook|abc123. This is of course not a viable solution, and the problems associated with it would be a non-issue if user IDs were correctly managed from the beginning.

1 Like