Preflight checklist
Ory Network Project
No response
Describe the bug
Ory Kratos now supports automatic account linking for OIDC.
docs: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account and the PR #3563
I believe process described in "Account linking on login and registration" section implemented differently.
Docs says "3. Since the email address already exists, the user will be prompted to enter the password chosen in step 1."
But actual flow is:
3.1. oidc callback
3.2. redirect to registration (with errors)
3.3. submit (continue)
3.4. pre registration hook called
3.5. create identity or throw duplication error
3.6. catch duplication error and link identity
This flow have multiple issues:
- Redirect to registration (3.2) validated against identity schema. If OIDC response have schema validation errors it would prompt for correction instead of linking.
- External system
should must make 2PC with pre/post hook (3.4) to save duplicated identity and then merge them on commit. It's not good from the perspective of "Be conservative in what you do, be liberal in what you accept from others.". It can be fully avoided by checking duplication ahead of time. Well, for proper 2PC all exits from flow should be hooked, so it's not easy. (Why 2PC was "should"? External system may hold unique constraints that can't be validated by IDP schema, and this constraints needs to be transactional between IDP and this system, so all logic after pre-hook must be error-free or post-hook must perform 2PC commit/rollback)
- It's generally strange to enter registration flow to link the account.
I think it can be solved by moving duplication error to oidc callback.
Reproducing the bug
docs: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account
"Account linking on login and registration" section
Relevant log output
Relevant configuration
Version
master
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
Preflight checklist
Ory Network Project
No response
Describe the bug
Ory Kratos now supports automatic account linking for OIDC.
docs: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account and the PR #3563
I believe process described in "Account linking on login and registration" section implemented differently.
Docs says "3. Since the email address already exists, the user will be prompted to enter the password chosen in step 1."
But actual flow is:
3.1. oidc callback
3.2. redirect to registration (with errors)
3.3. submit (continue)
3.4. pre registration hook called
3.5. create identity or throw duplication error
3.6. catch duplication error and link identity
This flow have multiple issues:
shouldmust make 2PC with pre/post hook (3.4) to save duplicated identity and then merge them on commit. It's not good from the perspective of "Be conservative in what you do, be liberal in what you accept from others.". It can be fully avoided by checking duplication ahead of time. Well, for proper 2PC all exits from flow should be hooked, so it's not easy. (Why 2PC was"should"? External system may hold unique constraints that can't be validated by IDP schema, and this constraints needs to be transactional between IDP and this system, so all logic after pre-hook must be error-free or post-hook must perform 2PC commit/rollback)I think it can be solved by moving duplication error to oidc callback.
Reproducing the bug
docs: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account
"Account linking on login and registration" section
Relevant log output
Relevant configuration
Version
master
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response