Auth0 Home Blog Docs

Unlinking "primary" identity

Howdy!

I’m working on linking/unlinking of user identities, and am wondering what happens when the user wants to manually unlink their “primary” identity from our settings page. Say they sign up with a social account and link another one in our settings page, then they decide to unlink the social account they signed up with. What happens to the auth0 data at this point since that was the “primary” account identifier?

Hey there @anja!

It’s indeed a good question! Let me reach out to appropriate engineering team and get that answer for you!

1 Like

So here’s all you need to know:

  • The secondary account is removed from the identities array of the primary account
  • A new secondary user account is created
  • The secondary account will have no metadata

@konrad.sopala Ah ok - does that mean that MFA info from the original primary account is moved to the new primary as well?

Need to confirm that with the team cause I’m not sure about that!

Probably the MFA will not be merged. If MFA is not merged, the user will be prompted for MFA enrollment.

Hi,

There’s a subtle problem to be aware of here.

Let’s say, for example, that the user originally signed up using IdP A. The user_id of their account will be something like “IdPA|123456”.

The account user_id is what appears in ID token and access token “sub” claims and is what clients (your applications or your partner applications) should rely upon to correlate with the data they hold for the user.

If the user links another secondary account for IdP B, the user_id for the original account - the primary – remains the same. From this point on, the user can authenticate with either IdP A or IdP B but the “sub” claim seen by the client remains the same - “IdPA|123456”.

If you unlink these two accounts, what you will be left with are two separate primary accounts:

  • The original IdP A primary account, which has the user_id “IdPA|123456”.
  • A new Idp B primary account, which has the user_id “IdPB|987654”.

I think that the IdP A account will still have any app or user metadata which was added to it. The IdP B account will not have the metadata - so, if you want to retain it, you’ll have to make API calls to copy it across.

Also, I’m not sure what happens to things like last login time, logged IP addresses or MFA enrollments - though I suspect that none of these will be set up on the IdP B account.

Importantly, though, if the user now authenticates using IdP B, the “sub” claim which your clients see is the IdP B user_id. Your clients will not have seen this ID before and, as far as they are concerned, this is a new user.

As far as I’m aware, there’s no way to change the user_id of the IdP B account so that it retains the original IdP A ID.

We came up with a workaround which was a lot of work and which I wouldn’t encourage - but I would love to know if there’s an Auth0 recommended solution?

1 Like

Hey there Glenn!

Let me discuss it and address the concern you reported!

@glenn.davies thank you for sharing your experience! I was worried about how much witchcraft was needed to keep the user data alive when they are changing their primary identity.

@konrad.sopala am definitely interested in know if auth0 has a solution for keeping user data around when they are linking/delinking and potentially changing their primary identity. It would be a rough user experience for them to have to re-enroll to guardian in those cases.

Sure! I’ll get back to you as soon as we have the results of our discussion! Will do it as soon as possible!

1 Like