How to handle updated OAuth profile with account linking enabled?

[louischan-oursky]

Once https://github.com/authgear/authgear-server/issues/4516 is fixed, we will have this problem.

1. Sign up with a OAuth provider. The OAuth profile is {"sub": "UserA", "phone_number": "+85251000001"}. This is UserA.
2. Sign up with phone number "+85251000001". With account linking, UserA now has a OAuth identity and a phone number Login ID.
3. Sign up with a OAuth provider. The OAuth profile is {"sub": "UserB", "phone_number": "+85251000002"}. This is UserB.
4. Sign up with phone number "+85251000002". With account linking, UserB now has a OAuth identity and a phone number Login ID.
5. Go to the OAuth profile of UserA, change the phone number to "+85251000002".
6. Sign in with OAuth profile {"sub": "UserA", "phone_number": "+85251000002"}.

How should we handle Step 6?

• We cannot trigger account linking. It is because account linking does not support linking two existing accounts.
• If we do not do anything special, then "+85251000002" is now shared by two accounts. The implication is that when someone signup with another OAuth provider with "+85251000002" , thus trigger account linking, there are options to link UserA (OAuth phone number "+85251000002") and link UserB (Login ID phone number "+85251000002")

[linear[bot]]

DEV-1666 How to handle updated OAuth profile with account linking enabled?

[louischan-oursky]

Per offline discussion, we will do nothing special in Step 6. Since account linking allows create_new_account https://github.com/authgear/authgear-server/blob/main/docs/specs/account-linking.md#linking-actions , it is possible that more than 1 account sharing the same phone_number / email / preferred_username