Link Accounts with Same Email Address not working as expected

[LabN36]

Scenario1: this logic works fine if user firstly sign up with email and then use social(fb/twitter etc)for signup, by this it will link all the accounts properly

Scenario2: if we firstly use social(fb/twitter etc) and then use simple email signup it will create two different account which is not desired instead it should give warning that this email is already registered

Note: in scenario 2 if user verified his id and again login it will be merge then but it keeps two different account before that.

IMP if you try to change the password after signing up with social provider you will get an error that user does not exist on the auth0 dashboard

Type | Failed Change Password
Description | User does not exist.
Connection | Username-Password-Authentication

This is does not happen in any real world application i don't know what's the intent please guide if i understood it wrongly.

[thameera]

@LabN36 Linking should happen regardless of which account you sign up with first. Are you still facing issues with the latest version of the rule? https://github.com/auth0/rules/blob/master/rules/link-users-by-email.md

[LabN36]

@thameera hey thanks for stopping by I've been waiting for the response since a month(also tried to reach on twitter)

well yes the issue is still there, you can try run the above scenario by yourself or let me know i'll create a snippet for you.

i want someone to involve in this thing because it's driving me crazy.

[thameera]

Scenario 2 is the expected behavior of the default rule. Linking should not be done if the email is not verified in one of the accounts; otherwise an attacker can register and link themselves to a legit account.

If you'd like to, for example give an error when the email already exists, you can edit the default rule to do so. Furthermore, you can also redirect the users elsewhere and handle this scenario in your own way.

if you try to change the password after signing up with social provider you will get an error that user does not exist on the auth0 dashboard

I couldn't repro this. How are you trying to change the password? Can you share any screenshots? (w/o sensitive data)

[LabN36]

in general(most of the websites) when let's say a user firstly signup with facebook he'll get signed in to the website.then user logs out. again if a user want to to login with the same email instead of using facebook.

don't you think a website should show them that wrong password(atleast this is what 99% site does)

i understand that auth0 manages this things in a different way ie. provider wise.
but how can i achieve this behaviour

[thameera]

don't you think a website should...

The rules we present here are just guidelines/templates and they should be changed to match the desired behavior. I've seen a lot of customers use the exact same rule, so I guess it's just a matter of preference.

but how can i achieve this behaviour

Sorry, I'm not clear here. Can you clarify what behavior you are trying to achieve and where? (you might have mentioned this earlier but since we seem to be discussing multiple issues here I'm not sure what exactly this is about) If you are looking for custom solution, probably opening a support ticket or posting in the community will be most efficient.

[joshcanhelp]

Obsolete, Rule no longer exists.