Linking account in AuthUI and Authflow

fungc-io commented 6 months ago

When a conflict is found on login with OAuth, ask the user if they want to merge the existing account.
After that, the user should authenticate with the existing method, e.g. enter OTP, enter pw…
If they authenticate successfully, the OAuth account will be linked

If OAuth conflicts with OAuth, the screen should show the other social login buttons too.

Original Account	Incoming Account	Possible actions
Email	OAuth (Google, Facebook, etc..)	1. Error: Remind the user to login with Email or 2. Login with the original authenticator (password/OTP) to link the account
OAuth (Google, Facebook, etc..)	Another OAuth (Google, Facebook, etc..)	1. Error: Remind the user to login with OAuth or 2. Login with the original OAuth to link the account
OAuth (Google, Facebook, etc..)	Email	Error: Remind the user to login with OAuth or

~In the 3rd case, if the original account is OAuth and the user enters the email to log in, the linking process will be complicated because the user needs to:~

~confirms they own the original OAuth account by logging in, and then~
~set up the authenticators like password or OTP.~

~We can just simply tell them to login with OAuth without linking~

[ ] Update account linking related configs (2h)
[ ] Modify authflow (2d)
- [ ] Support running login flow inside oauth
- [ ] Modify oauth step to execute a nested login flow with a selected identity
- [ ] If the login flow supports oauth, the oauth should only accept using a existing oauth identity which match the user
[ ] Modify AuthUI to support this step (1d)

Legacy issue:

DEV-20

linear[bot] commented 6 months ago

DEV-1195 Confirm merging account in AuthUI and Authflow

fungc-io commented 6 months ago

@tung2744 @newman @louischan, i've summarized the behavior of different combinations we discussed today in above table

fungc-io commented 6 months ago

In the product meeting today, instead of having different behaviour for incoming account = email/oauth, A better way should be always continue the signup flow after "login and link", and skip the step if the required authenticator already exists in the account.

This prevents that the linked authenticator cannot be used for login because the required authenticator is missing.

For example:

Existing account: Phone Number + PW
Alternative Sign up/Login flow = Line (OAuth) + Phone OTP
When the user try "Continue with Line", After returning from Line, The user shall
- 1. Login with Password (Login and link)
- 2. Setup Phone OTP
- 3. Completed, redirect to the application with an account containing: Phone, PW, Phone OTP, Line OAuth
If the 2nd step is missing, they will not be able to login with Line next time after they link it.

fungc-io commented 5 months ago

@tung2744 I've prepared a testing spec for the current phase of account linking:

Testing Spec for Account Linking

Treat it as acceptance criteria and i will share it with QA team for testing. Please see if this align with our plan?

tung2744 commented 5 months ago

Yes, I think it aligns with our expectation.

authgear / authgear-server

Linking account in AuthUI and Authflow #4103

Legacy issue: