Regardless of the order the identities were added, for a given user, if a OAuth identity's email matches a login ID of type email, then the login ID cannot be used to authenticate in the future.
For example, suppose User A has the login ID usera@gmail.com. Later they link their Google account to their account. Existing sessions of the login ID usera@gmail.com is still valid. However, User A cannot use usera@gmail.com to authenticate with password anymore. They must authenticate with Google.
Edit
It would result in better UX if Auth UI can detect this condition and, instead of showing an error, redirect the user to the IdP authorization endpoint with login_hint set.
Portal Design
Add a new field for this option.
Blog Post Specification
Blog Post of the Feature Release
Open Questions
Put a list of open questions here before a complete design / specification is decided
Description
It is a new option to enable this behavior.
Regardless of the order the identities were added, for a given user, if a OAuth identity's email matches a login ID of type
email, then the login ID cannot be used to authenticate in the future.For example, suppose User A has the login ID
usera@gmail.com. Later they link their Google account to their account. Existing sessions of the login IDusera@gmail.comis still valid. However, User A cannot useusera@gmail.comto authenticate with password anymore. They must authenticate with Google.Edit
It would result in better UX if Auth UI can detect this condition and, instead of showing an error, redirect the user to the IdP authorization endpoint with
login_hintset.Portal Design
Add a new field for this option.
Blog Post Specification
Blog Post of the Feature Release
Open Questions
Put a list of open questions here before a complete design / specification is decided
Related Issues