We have been using Auth0 for a couple years now and have noticed an issue in user behavior would like to try and correct. The issue is that many users are ending up with multiple Auth0 logins (user accounts) because they don’t remember which social media identity provider they used when they created their account.
We are using the new universal login experience and have noticed from the login form that if someone uses a social media identity provider a new account is always created. So what is happening with the users is they don’t recall which account they used create their login, and are now creating others in Auth0 as they try to figure out which is the correct one.
First off, I would expect the functionality of a login form to not create a new user account in Auth0, that should be reserved for the new account form. We are not seeing any options to limit this from happening.
We are hoping we can stop them before the user is created in Auth0, or something along those lines. Perhaps providing a question to the user saying, “this provider has not logged in before, do you wish to create a new account?”
This will help the users determine which account they used for account creation. Any suggestions are appreciated. Thank you.
Check out the account linking extension. This will let users securely link their multiple accounts.
An account with Google is different than an account with Facebook, and Auth0 must represent this.
They are not the same as a Username/Password DB account, or the same as each other.
So, you must explicitly link these accounts if you want them to be the “same”.
The register form creates a username/password account. A user CANNOT create a Facebook or Google account via your app, they must create it at Facebook or Google. When a user logs in via a social provider, Auth0 creates the account IN AUTH0 if they haven’t logged in before.
Hey @john.gateley thank you for the reply! A few points a of clarity and probably another question.
At this time we can’t have users combine their accounts as we use the sub from the jwt in our database to identify them and have no way to tie them together in the application. Bigger project way down in the backlog.
The point here is that even when using the “login” side of the Universal Login Experience, if someone uses a social identity provider, they are immediately added to Auth0 as a new user (`user identity), Auth0 rules fire, etc. This seems wrong, they were trying to login, not create a new account with us.
The goal here is not to create a new user in Auth0 (I don’t mean an Auth0 username/password user, a user identity) with any new social identity provider login. I had a user the other day with four user identities in Auth0 because they kept trying to figure out which account they used to setup their profile etc. in our application.
The register form creates a username/password account. A user CANNOT create a Facebook or Google account via your app, they must create it at Facebook or Google
This is fully understood
So yes, we may/probably have something not configured correctly, though it feels strange that a new Auth0 user identity is created whenever someone tries to login with a new social identity provider.
A user identity corresponds to a user ID (the sub you talk about). For Auth0, a user ID starts with “auth0|”. For Google, it starts with “google-oauth2|”. It always starts with a unique identifier to name the provider, followed by a unique identifier within that provider.
With that definition, you see that a user identity is different in facebook and google (different providers).
I understand this is not what you are trying to achieve, but this is how identity is defined. Identity doesn’t cross over between providers.
Any time you merge identities, there is the possibility of an account hijacking. This is complex, and so merging must be done with care. The account linking extension handles this.
So what all this means is that if you want to have users log in via multiple social providers and a database connection, you will need account linking to merge them.
Yes I understand the id’s and we’ll probably add the extension. Unfortunately the extension is only useful if emails match. Which I have found in many cases they do not. From what I have seen from our users, it is very common to have different email addresses between social media platforms.
So what I am gathering here is there is no way to keep a new social media identity login from creating a new Auth0 user identity on first login.
The preferred goal is that it is only added if the user is creating an account into our platform, not simply trying to login. This has created confusing with our users.
Perhaps we shot ourselves in the foot a bit by allowing someone to have basic access to our site without having an actual profile, which means we only know about them through the JWT data. These seemed like an okay approach assuming that person had to explicitly create a user identity in Auth0. So I am guessing at this point that there is no way for us to keep a new social identity provider login from creating a new Auth0 user identity?
We really thought there would be an explicit create path and explicit login path with the Auth0 form.
