Prisma1: Allow Auth0 Users to have multiple signins / auth0ids after they merge their auth0 accounts

Created on 15 Dec 2016 · 6Comments · Source: prisma/prisma1

Example: If a user creates an account through Auth0 username/password (auth|etc...) and then later returns to the site and attempts to login with facebook, a new account will be created (facebook|etc...). If the Auth0 Admin has created a rule that automerges accounts, the original username/password account will get merged on the auth0 database with the facebook one under the facebook auth0id. If the user then attempts to login to their graph.cool app with the original Auth0 username/password credentials, they'll find that they are now in their second duplicate facebook account and that their original account is unreachable (two accounts exist on the graph.cool db––one for the facebook|... and one for the auth|... but only one account exists on the auth0 database with both identities merged under a single id).

Source

carlpeaslee

👍2

Most helpful comment

@carlpeaslee when you link the accounts, there is a primary and secondary user. In my experience, as long as you maintain the primary user in the linking process, the Graph.cool account persists between the various connections. Auth0 provides a Rule for this, which I am using, but you need to reverse the user Ids in the API call when linking the accounts in order to maintain the primary user.

However, depending on your login/signup flow, this can cause problems. The accesstoken/idtoken returned from Auth0 on the first login attempt when the accounts are not yet linked (the rule has not run yet) are not valid. I am assuming this is because that user doesn't get created and instead gets merged, so we actually want the accessToken and IdToken from the primary user that this login will be merged with.

I am still working on a way to solve that issue for my own use, but it only happens on the first login, but all subsequent logins (once the accounts are merged) the idToken/accessToken are correct and everything persists in Graph.cool.

cartogram on 18 Apr 2017

👍2

All 6 comments

I'm working on a solution for this and right now I'm thinking that the best way to handle it is to make sure that a second graph.cool user never gets created. I'm going to try and set up my authentication process so that it automatically creates the new auth0 account and merges it with the existing so that graph.cool never needs to worry about multiple auth0ids. I'll let you know how it goes.

carlpeaslee on 15 Dec 2016

👍2

So I got a version/workaround working that basically goes like this:

-when a user starts the login/signup process using username/pw provider, check to see if they have a graph.cool account
-if they do and its a username/pw account, proceed as usual
-if they do but its a facebook account, tell them they should just login with facebook and don't let them use username/pw

-when a user starts the login/signup process using fb, let them signup/login through facebook then check to see if they have a graph.cool account
-if they do and its a fb account, no problem, proceed as usual
-if they do but its a username/pw account, prompt them to connect their facebook profile to it by signing in with their username/pw account and then using auth0's api to link the two accounts on auth0's end -- once you do that you can login to graph.cool with either fb or username/pw without any duplication problems.

Will try to give a live example / code once I iron a few things out. Also Auth0 keeps messing with their api docs -- like, while I'm working on this... so who knows what will be the best way to do this tomorrow... :roll_eyes:

carlpeaslee on 16 Dec 2016

❤1 😕1 👍1

cartogram on 18 Apr 2017

👍2

Hello guys, I'm facing the same issues here. How about creating a Hook to actually create the Graphcool user directly from Auth0?