0

What would be recommended way to support linking local account to existing social account?

Scenario:

  1. User has previously signed up with social account (Google/Facebook etc.) - bob@contoso.com
  2. User signs up with local account with bob@contoso.com email address.
  3. User should be able to sign up either using his previously configured social account or local account via email/password.

I've seen some samples on GitHub and discussions here on StackOverflow about scenario where during social signup, local identity is created with social email address set as signInNames.emailAddress and GUID as a temporary password.

Then later on user can reset his password or we can tweak local account sign up policy to overwrite temporary GUID password with new one when user signs up with local account.

Another scenario that comes to my mind would be obviously to not create local identity upfront. Then, when user tries to sign up using local account, we could check whether e-mail address he provided during local account sign up is already associated with any social accounts (is this possible? I didn't find a way to read account by email from alternativeSecurityIds/userIdentites attribute. Maybe otherMails attribute could be used to read account by email, however I'm not sure if otherMails should/can be used to unambiguously identify account). If so, we could merge local identity into existing social account.

Is second approach even possible to achieve? Or should I stick to the first one which is already used in some samples on GitHub?

kamilz
  • 168
  • 1
  • 12

1 Answers1

0

I use this one.

Create the local account first, then users can link to their social accounts (but they have to authenticate with each one to prove they own it).

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks, but this sample doesn't cover linking new local account into existing social account. Sample shows scenario where I can link new social identities into existing account. I'm interested in scenario where at the beginning user created social identity and then he would like to create local identity. In your sample, when I firstly created account with social identity,and then I signed up with local account with the same e-mail as social, second Azure AD B2C account was created and they were not linked. – kamilz Apr 06 '22 at 10:19
  • That sample works. I've used it a few times. The emails do not have to be the same. Regarding your question, you could start the user journey by authenticating with a social account and then add a signup self-asserted flow and then link the two. But the user does not "authenticate" during sign up hence I prefer to sign-up outside the flow and then sign in and link. – rbrayb Apr 07 '22 at 02:29
  • Ok. I thought about a scenario where some time ago user created his account via social login (let's say Facebook) with social email = `bob@contoso.com`. 3 months later he comes back to my app and he forgot that initially he has used FB. He tries to sign up with local account and e-mail address `bob@contoso.com`. Here, I would like to automatically link his local identity (or ask him to link) to existing social account so later on he can sign in using either FB or local identity. And I started wondering what would be the best way to do this. – kamilz Apr 07 '22 at 13:42
  • In this scenario during local account sign up I would have to check if there is already account with social identity with `bob@contoso.com` email address. Social identities are stored in `alternativeSecurityIds` however, social email is not stored there. So I would have to either find account by looking at `otherMails` attribute (not sure if it's correct way) or preprovision local identity (`signInNames.emailAddress` = social email) with random password during first user sign up with social identity. – kamilz Apr 07 '22 at 13:48