Open mooreds opened 3 years ago
robotdan
commented
3 years ago Not sure this would be possible. We are linking to a user at the tenant level, so if we were to add this type of configuration - the first app to authenticate the user within a tenant would set the linking mode.
This may be a confusing behavior. I suppose if we made the assumption that a tenant had one application, then it may work how you expect.
voidmain
commented
3 years ago I don't think it would be possible to resolve properly if we added this. Let's say you have this:
Tenant: Pending link App 1: Create and link based on email App 2: Anonymous
If you sign in via App 2 the first time, then the user has no identity. Then you SSO login to App 1 and it needs the email, it could explode. And then if you SSO login to App 3 (which uses the Tenant config) it might require a bunch of information that is collected on the Advanced Registration form, but that will now be missing. This might work if we change complete registration to fill in additional details, including identity (email/username and password), but currently that isn't how it is setup.
I'd need to understand some use cases for this in more detail as well in order to ensure it makes sense overall.
mooreds
commented
3 years ago I suppose we can wait and see if anyone wants this. The use case is:
link email, create user if not found strategylink email, don't create user if not found strategyBut I want to avoid making up requirements and it sounds like it isn't as straightforward as I thought it might be.
Future readers! If you are a FusionAuth user who is using IdP linking and have a use case for this functionality, please chime in.
Add ability to override IDP linking strategy at the application level
Problem
I want to use the cool new IdP linking feature (released in 1.28) but want different strategies for different applications.
Solution
The same way I can override
buttonTexton an application by application basis, I want to be able to override linking strategies.Alternatives/workarounds
For SAML/OIDC providers, I can create a separate one. But for social providers such as google, no other options exist than to pick one strategy and make it work.
Additional context
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.