Currently, the extension only works at sign up. Are there any plans of enabling this at login too? This would be helpful when you already have users with multiple identities, and you want the user to do the account linking at login. Looks like the rule specifically checks if this is the first login, we could just remove that check to enable this.

Is there a way to set up/configure the account linking extension so that it:

1. Bypasses the User prompt to do account linking and proceeds with the linking process
2. Fails the newer user creation if the account linking fails (I reckon this part could be tricky since the rule processes post user registration right?)

The reason for this need is that auth0 accounts map back many to one to our accounts via email. At the same time we don't require email verification by default for basic auth0 accounts. So if a user proceeds to social signup for an email that has an existing direct unverified account, we would use the notion of the dual authorization to guarantee that the user has proper access to both identities.

When using a custom domain the following template is not correct by default leading to a "Invalid issuer" error after account linking occurs at the server.

This needs to follow the custom domain setting, e.g. "auth.foo.com" when a custom domain is used rather than auth0.domain.

I saw that credentials of the client id and client secret of the rule are written directly into the rule. isn't it possible to use instead the config variable keys for rules?
that can also solve the issue of custom domain that need to be re-applied on each update of the extension.

are you open to that kind of change? if yes, do you have some advice to do it properly?

Rule will fail if user.email does not exist for example accounts logging in via twitter.

Easy fix, add to the rule at top

  if (user.email === undefined) {
    return callback(null, user, context);
  }
  

Just been experimenting with account linking in multiple scenarios and hit some bugs.

Steps to reproduce:

1. Sign up with Facebook
2. Sign up with Google and account link when prompted
3. Sign up with another (e.g. DB with same email)

First thing I notice: the message for account linking on the 3rd account sign up (2nd account link) says "You main sign in with Google or Facebook to link accounts" but the continue button will always take you to the first of these options. not sure if it should give a choice, or just show the first matching identity to be consistent. Don't think the behaviour should should change in another situation to keep things simple.

Second more major thing: when I click continue the account linking takes place successfully as confirmed in the dashboard however, in the application it always hits a "Wrong state parameter given." error when the callback is executed. I've been testing this with Django using python-social-auth.

Thanks
Philip

@fyockm Thanks for looking at that other bug for me, do you also work on this extension?

The account linking page looks quite different to the other pages, and the colours do not match.

When will this be updated?

UI Should resemble Lock

It looks like you have another account with the same email address. We recommend you link these accounts.

I want to skip this and create a new account. (Not recommended)

Continue >

I want to skip this and create a new account. should be the exact same formatting as the forgot password text on regular lock.

I'd imagine you could prompt the user to login with some other account if there's no email provided, or at least support email passwordless.

Hello,

I found a situation that in my humble opinion is a bug.

The thing is: when the rule code looks for users with the email (link.js#L202) it does not take into consideration the databases(connections) that are enabled for the current application that is being used. It searches for the user in all the databases (that could be of other not related application) and shows the user the linking page.

Example: We have two different applications (eg. Run and Walk) that have different databases (e-mail/password). The user can have accounts in both applications, but they are different users. If we add a social connection (database) for one of the applications (eg. Run) and the user tries to log in, it looks in both databases (Run and Walk) for the user with email. But it should not, as databases are only associated with their own application (Run app -> Run database and Walk app -> Walk database).

Even if we edit the rule to filter out the users in databases not associated with the current application (by getting the application ID (client_id) from the query, called the connections API (GET /api/v2/connections) and removed from the user list all the users from databases that were not associated with the desired application.) it does not work correctly.

In the extension code the matching users are listed from all the connections(code from get_index.js), just like is done in the rule code.

So, this causes a lot of problems we have a user with the same email in databases that are not associated with the current application. IMHO, the search by email should respect the connections that are enabled for the application.

I hope my explanation is clear, if you have any questions, please let me know.

(version used: Auth0 Account Link Version 2.6

Tried to find more what Locale is about on the menu, but a popup with [Object] appears

Document the extension and link it to the extension installation page

Reference: Authorization extension
https://github.com/auth0/auth0-authorization-extension/

We have a few social authentication providers along with a passwordless email (via code) options for unified sign-in flow, on a custom hosted page.

We have also enabled the Auth0 Account Linking Extension.

Here are the steps that break the extension:

1. Sign in for the first time using the passwordless email option.
2. Sign out from the application
3. Sign in using any social provider with the same email.
4. The Auth0 Account Linking Extension is Triggered as expected.
5. Select continue on the widget

Error: A blank screen with cannot get /wsfed error on it.

URL:

https://login.auth0.com/lo/wsfed?disable_signup=false&name=email&email=&authParams=&totp=&brute_force_protection=true&store=&strategy_instance=email&wctx=ixR7f8jdwYqplEVZ5JO048LTIwXDVAur&wtrealm=urn%3Aauth0%3Afreecodecamp-dev%3Aemail&wa=wsignin1.0

There are no errors logged on the application Dashboard > Logs.

However, if you switch the steps 1 and 3, that is use a social provider for first time account creation and then follow the email passwordless path. It seems to work without issues.

Original report here

Hi ,

we are getting access denied exception when trying to use this extension for linking the account

{
  "body": {
    "wa": "wsignin1.0",
    "wresult": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoiNWI1YWExODNiYzliNzUyYzUyMzEzNDMyIiwiZW1haWwiOiJwYXJlZWsuYXNlZW1AZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImxhc3RfcGFzc3dvcmRfcmVzZXQiOiIyMDE4LTA3LTI3VDA0OjQxOjMyLjU4NVoiLCJzaWQiOiJIVW85bm1oWkRyX1duQjFSQnpxZFItOWQ2b0RDRjBWNSIsImlhdCI6MTUzMjY2OTY1MywiZXhwIjoxNTMyNjY5NzEzLCJhdWQiOiJ1cm46YXV0aDA6ZXZhcmktc3RhZ2luZzpVc2VybmFtZS1QYXNzd29yZC1BdXRoZW50aWNhdGlvbiIsImlzcyI6InVybjphdXRoMCJ9.JCw5C4o2RDBeeatBiZV7yUiE6l5lqYqrI5FAcJa5chVhjhZHim2Y7F2pzqvrCnGvprYjz_6hn0RMozqmESb_Q9piw9Kpk1qw4pMCKjlGN0iIxcWWy2WORwyFQSJrUFsm_M3FjNdZlwXoZsmsxITf3Kb-Qt5RN2hflthdw8f-dXM",
    "wctx": "{\"strategy\":\"auth0\",\"auth0Client\":\"eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMC4yMy4xIiwibGliX3ZlcnNpb24iOiI4LjEwLjEifQ==\",\"tenant\":\"evari-staging\",\"connection\":\"Username-Password-Authentication\",\"client_id\":\"qKu9X8YaASjMan8sVXl3SK0k866xhsUT\",\"response_type\":\"token id_token\",\"scope\":\"profile email\",\"protocol\":\"oauth2\",\"redirect_uri\":\"https://ourapp-dsdsdsds.web.evari.insure/callback\",\"state\":\"QPZcYd3ax3YCae7FkJ9pqiwdyYlc46aE\",\"nonce\":\"ilSxKp58B3HvzKhD8lVHuZPebtGkD3w6\",\"sid\":\"HUo9nmhZDr_WnB1RBzqdR-9d6oDCF0V5\",\"audience\":\"https://evari-staging.au.auth0.com/userinfo\",\"realm\":\"Username-Password-Authentication\",\"session_user\":\"5b5aaed5e1e29c2d3e66c3e9\"}"
  },
  "qs": {},
  "connection": "Username-Password-Authentication",
  "error": {
    "message": "[object Object]",
    "oauthError": "access_denied",
    "type": "oauth-authorization"
  }
}

Any ideas what might be going wrong?

There is always a new account that gets created

Error: Cannot find module '[email protected]' Require stack: - /data/io/node18/7c4e6e40-ac3a-49bb-9682-328d5edb1bd3/webtask.js

Asking here because no answer received in the community here.

Need to pass options to hosted lock.

In the account link rule, trying to read from the query param results in:

ERROR: Cannot read property 'link_account_token' of undefined

Steps to reproduce:
call this rule with a context which does not include a query param. This can happen when calling the /oauth/token endpoint to log in.

Workaround:

at the beginning of the rule include the line:

if (!context.request.query) context.request.query = {};

Hi,

I've got a custom domain on my auth0 instance and I use it in my app to verify the token.

As a user, when I want to link account by clicking on "Continue", I'm redirected on the default domain login page.

Hence, the token generated when the account are linked is not issued as the custom domain but as the default one.

So my app fails authenticating the user with the token, throwing the error:
Issuer (iss) claim mismatch in the ID token; expected "<CUSTOM_DOMAIN>", found "<DEFAULT_DOMAIN>"

My workaround is to catch this error message and do another login flow
As I didn't find any way to configure the account link extension to go on my custom domain page

I'm not sure someone from the repo will read this, but hopefully it may help someone

Another edge case issue with account linking, when there are multiple Google accounts.

Steps to reproduce:

1. Sign up using Google
2. Sign up using something else using same email (e.g. DB)
3. When promoted to account link with "You may sign in with Google to link accounts." deliberatly choose the wrong Google account with a different email
4. It correctly catches the error with "Accounts must have matching email addresses. Please try again."
5. Now try again and select the right account
6. The accounts are linked corrected as confirm in the dashboard
7. But the callback in the application hits a "Wrong state parameter given." error
8. I also notice there is a user created in the dashboard for the account that was clicked in error in step 3

I'm using Django with python-social-auth.

@fyockm Last one for now I promise...

Dug into the code and found it encodes the query string params when calling authorize using encodeURI but this is not sufficient for query params. For query params you must use encodeURIComponent instead which handles #, @, &, ?, /, =, etc

While trying to setup the extension for Storezero, I noticed that when I try to sign up with an account that matches the required conditions for linking, the authorization flow breaks with an access_denied error and vAV2y3LvyrZ442fpfOfjkp1Uol6uH4dJ is not defined as the message.

Webtask rule logs:

4:09:13 PM: Connected to storezero-franco
4:09:45 PM: new webtask request 1504120185417.887545
4:09:45 PM: undefined 'Entered Account Link Rule'
4:09:45 PM: finished webtask request 1504120185417.887545 with HTTP 500 in 281ms
4:09:45 PM: setting tenant quarantine
4:09:45 PM: faulting webtask container following request 1504120185417.887545 failure
4:10:27 PM: new webtask request 1504120227896.279945
4:10:28 PM: undefined 'Entered Account Link Rule'
4:10:28 PM: {
  "code": 500,
  "error": "Script generated an unhandled asynchronous exception.",
  "details": "ReferenceError: vAV2y3LvyrZ442fpfOfjkp1Uol6uH4dJ is not defined",
  "name": "ReferenceError",
  "message": "vAV2y3LvyrZ442fpfOfjkp1Uol6uH4dJ is not defined",
  "stack": "ReferenceError: vAV2y3LvyrZ442fpfOfjkp1Uol6uH4dJ is not defined\n    at async.waterfall.callback.user (/data/io/289d43d45c5c4c2fabdb22981c1adeb5/webtask.js:36:17)\n    at fn (/data/sandbox/node_modules/auth0-authz-rules-api/node_modules/async/lib/async.js:638:34)\n    at Immediate._onImmediate (/data/sandbox/node_modules/auth0-authz-rules-api/node_modules/async/lib/async.js:554:34)\n    at processImmediate [as _immediateCallback] (timers.js:396:17)"
}
4:10:28 PM: Code generated an uncaught exception:  ReferenceError: vAV2y3LvyrZ442fpfOfjkp1Uol6uH4dJ is not defined
    at async.waterfall.callback.user (/data/io/289d43d45c5c4c2fabdb22981c1adeb5/webtask.js:36:17)
    at fn (/data/sandbox/node_modules/auth0-authz-rules-api/node_modules/async/lib/async.js:638:34)
    at Immediate._onImmediate (/data/sandbox/node_modules/auth0-authz-rules-api/node_modules/async/lib/async.js:554:34)
    at processImmediate [as _immediateCallback] (timers.js:396:17)
4:10:28 PM: finished webtask request 1504120227896.279945 with HTTP 500 in 238ms
4:10:28 PM: setting tenant quarantine
4:10:28 PM: faulting webtask container following request 1504120227896.279945 failure
4:10:28 PM: new webtask request 1504120228989.519074
4:10:28 PM: error processing webtask request 1504120228989.519074

When using the account linking extension it seems the access_token returned to the application is an opaque value rather than a JWT.

I'm not sure what's going on, still trying to t-shoot, will update this ticket

Is it possible to add the french translation for Auth0 ?

I prepare the json if necessary ?

"fr": { "_name": "French", "pageMismatchError": "Vous semblez avoir atteint cette page par erreur. Veuillez réessayer de vous connecter", "continue": "Continuer", "accountLinking": "Liaison de compte", "introduction": "Il semble que vous ayez un autre compte avec la même adresse e-mail. Nous vous recommandons de lier ces comptes.", "skipAlternativeLink": "Je veux ignorer cela et créer un nouveau compte. (Non recommandé)", "sameEmailAddressError": "Les comptes doivent avoir des adresses e-mail correspondantes. Veuillez réessayer.", "identities": "Vous pouvez vous connecter avec {{identities}} pour associer les comptes", "or": "ou" },

Thank you for your answer.
best regards

When trying to link a database account to an existing social login account I get a state does not match error, but the linking is successful and the next login will be as expected.

My exact use case is the following:

• Login via Google
• Login via Database with the same email using custom database (therefore no need to sign up)
• Link accounts
• Get state does not match error

Since Rules are getting deprecated, there should be a migration from using a rule to using an action.

Hopefully a guide can be provided to migrate existing installations, and perhaps this can be done already for new installs so that we don't have to manually do it.

PS: Hopefully this also resolves #163

The current search is case sensitive, Auth0 stores emails all lower case. If you add for example Azure AD logins and they use capitals there is no way to match emails

Not sure if this is the place to report this bug.
I am trying to look at and change settings for our extension, but clicking the Auth0 Account Link (see image below) button results in a failed login attempt (see other screenshot).

I was certain I could find our extension settings there - am I doing something wrong, or is there a bug in the extension?

Hi,

Is there a way to force users to link accounts? In my scenario, the user is identified by his or her email in the database, if he or she has multiple login options it is fine, but creating different users in auth0 with the same email will break my system because there will be two users with same email addresses.

If I could force users to link their account if they use the same email address this would be solved I think.

The link to continue and skip linking accounts uses the auth0 domain and not my custom domain and the authentication request is "Unauthorized" and the user is not logged in. If I go back and login again then the login process is successful and the account link modal is not displayed since the accounts were not linked and the user chose to skip that step.

If I change the URL on the unauthorized page to use my custom domain https://auth.foo.com/continue?state=...... then the login process is successful.

The extension doesn't interoperate with device authorization flow, specifically the browser flow section as outlined here:
https://auth0.com/docs/flows/device-authorization-flow

The user opens the 'activation' link, enters the device code, and then is prompted to login or signup. After signing up, user is prompted to link accounts. After agreeing to link accounts, user sees an error page:

invalid_request: Invalid parameter: client_id must be a string

I believe the error occurs because the extension assumes there's a client_id in the request parameters, as there would be for authorization code flow but is not in this flow.

Setting a custom css path in the extension settings does not work properly. The user is supposed to enter an absolute URL, however, the rendered page takes it as a relative URL and puts a "https://cdn.auth0.com/extensions/auth0-account-link/assets/" in front of it.

Description

Running into an issue trying to change the messaging in locales. If I customize the text in locales, it overwrites any customization I’ve done in the widget settings screen. When I then update the widget settings to add my customization back, the locales are reset to their default values, overwriting my customization.

Steps to reproduce

1. customize something on the Widget Settings screen, such as the color and click Save Changes
   
2. click on Manage Locales in the top right menu, then customize any of the fields and click Save Changes
   
3. go back to the Widget Settings screen and notice that your customizations have been overwritten
4. add your customizations back to the Widget Settings screen and click Save Changes
5. click on Manage Locales and note that your customization is lost

Expected behavior

Customizations should persist on both the Widget Settings and Locales screens

Steps to reproduce

1. Create a Google Social Connection ("[email protected]") user in Auth0 tenant
2. Log "[email protected]" out of google, log back into google with another account ("[email protected]")
3. Sign up/log in to Auth0 tenant with a Database connection using "[email protected]"

Expected: I am prompted to select the correct google account to use for account linking

Actual: The account linking extension attempts to use the logged in google account ("[email protected]") to link with the "[email protected]" Database connection, resulting in an error.

Current workaround

It is possible to address this issue by always sending prompt=select_account to Google using a static upstream_params connection option.

Workaround gap

This makes for a sub-optimal log experience for every other interaction with Goolge since the user is always prompted to select an account. Ideally, we would be able to target only the account linking flow with prompt=select_account.

Potential solution

It seems to me if we added prompt=select_account to the /authorize request required for account linking:

I'm using this plugin and I can't get it to work. It prompts to login the previously created account but it doesn't link the accounts after a successful login, I can still see both users on Auth0 dashboard. On android logcat I get this error:

E/OAuthManager: Error, access denied. Check that the required Permissions are granted and that the Application has this Connection configured in Auth0 Dashboard.

On Auth0 Dashboard Logs I get Failed Login on my main client, not on the client that this extension creates. Any suggestion?

The previously created account is Auth0's and the new one is a social account (tried Google and Facebook). I'm using WebAuthProvider to login social accounts. I tried to verify the email first, still not working.

This doesn't work when using the SSO integration with SharePoint 2013. Any workarounds?

When I try to install the extension it says:

Error trying to install Auth0 Account Link. Please try again later.

I investigated a little bit more and there is a call to this URL, after the auth0-account-link application is created:
https://sandbox12-eu.it.auth0.com/api/run/lavoz/[LARGE_CODE_HERE]/.extensions/on-install

And it returns this error:

  "code": 400,
  "message": "Compilation failed: Cannot assign to read only property 'exports' of object '#<Object>'",
  "error": "Cannot assign to read only property 'exports' of object '#<Object>'",
  "stack": "TypeError: Cannot assign to read only property 'exports' of object '#<Object>'\n    at Module.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:6129)\n    at Module.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:6959)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:5534)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:3775)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:3447)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:2076)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:2999)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:1492)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:1828)\n    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)\n    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:963)"
}

Formatted for easier reading:

TypeError: Cannot assign to read only property 'exports' of object '#<Object>'
    at Module.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:6129)
    at Module.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:6959)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:5534)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:3775)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:3447)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:2076)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:2999)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:1492)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:1828)
    at t (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:124)
    at Object.<anonymous> (/data/io/node12/714b1239-f9fc-46f1-89e3-9b2304c47b92/webtask.js:2:963)

The account linking extension is failing on newly created tenants - I suspect that it does not work on the Node 18 runtime

Steps to reproduce:

• Create a tenant
• Install the "Auth0 Account Link" extension
• Open the "auth0-account-link-extension" rule and click "Save and Try" and then "Try"
• The rule fails with:

ERROR: Cannot find module '[email protected]'
Require stack:
- /data/io/node18/8e88feb3-2f75-48a2-8a40-e54c2844983a/webtask.js

Raised by customers in auth0/nextjs-auth0#1384 and https://community.auth0.com/t/auth0-account-link-error-with-importing-modules/114153

The customer should be able to install custom CSS and image to resemble their Lock aesthetics

Reference: SSO Dashboard Extension
https://github.com/auth0-extensions/auth0-sso-dashboard-extension

I have a custom universal page that's built and I'd love to mimic the look that I have going on there, in addition modify some of the language. Is there any way to allow me better control over customizing the HTML or the messaging on this extension?

If you have an existing account (where you received a welcome email), then signing into and linking a social account shouldn't send out another welcome email.

This may be related to the architectural issue of not treating non-database connections the same way as database connections (f.e. no pre-registration trigger, etc.), and I think ideally the account linking flows* should be built into Auth0, instead of being implemented as an extension that becomes outdated quickly.

* Optional and forced linking/DB account.

Asking here, because no answer received in the community yet.

Let's say if a user email [email protected] has an ADFS provider which comes from the internal xxxxxxxxx.com and then they migrate their ADFS to yyyyyyyy.com the user now has two identifiers but the email address is still the same [email protected] - they should be linked/merged - but this is not the case.

adfs|xxxx-adfs-sso|[email protected]
adfs|xxxx-adfs-sso|[email protected]