There’s a subtle problem to be aware of here.
Let’s say, for example, that the user originally signed up using IdP A. The user_id of their account will be something like “IdPA|123456”.
The account user_id is what appears in ID token and access token “sub” claims and is what clients (your applications or your partner applications) should rely upon to correlate with the data they hold for the user.
If the user links another secondary account for IdP B, the user_id for the original account - the primary – remains the same. From this point on, the user can authenticate with either IdP A or IdP B but the “sub” claim seen by the client remains the same - “IdPA|123456”.
If you unlink these two accounts, what you will be left with are two separate primary accounts:
- The original IdP A primary account, which has the user_id “IdPA|123456”.
- A new Idp B primary account, which has the user_id “IdPB|987654”.
I think that the IdP A account will still have any app or user metadata which was added to it. The IdP B account will not have the metadata - so, if you want to retain it, you’ll have to make API calls to copy it across.
Also, I’m not sure what happens to things like last login time, logged IP addresses or MFA enrollments - though I suspect that none of these will be set up on the IdP B account.
Importantly, though, if the user now authenticates using IdP B, the “sub” claim which your clients see is the IdP B user_id. Your clients will not have seen this ID before and, as far as they are concerned, this is a new user.
As far as I’m aware, there’s no way to change the user_id of the IdP B account so that it retains the original IdP A ID.
We came up with a workaround which was a lot of work and which I wouldn’t encourage - but I would love to know if there’s an Auth0 recommended solution?