AlexCuse
commented
7 months ago This is a good idea. A few considerations that come to mind -
- I assume a corresponding public endpoint
GET /oauth/providerswould be needed to enumerate providers enabled for a session and enable the unlink from front end. - It might make sense to add configured providers to the private
GET /accounts/idendpoint. A private endpoint to handle unlink by ID for administrative users might be valuable as well. - do we want to ensure that another means to login to the account is maintained? Oauth accounts are created with a random password currently. Password reset is probably an option for most users.
- Is there any revocation we want to support with the provider(s) or is it sufficient to just "forget" the user's oauth account? I think a user re-entering the oauth flow with a previously issued provider ID shouldn't cause any problems for authn but we'd want to be sure.
- Flip side of above, what if the user revokes access through the provider? Is there a way to handle re-link in that scenario? (maybe this one is separate issue)
diegosperes
Authn offers a feature that enables users to connect their accounts with their social media profiles. However, this has created a need for a feature that allows users to disconnect their social media accounts. The current issue is to develop a way in Authn that enables users to unlink social media account.
Proposed Solution:
Create a new HTTP DELETE endpoint to unlink the user's current session from their social media accounts. This endpoint will be public. The frontend needs to adhere to the following contract:
DELETE /oauth/provider
In that case provider can be one of the supported oauth providers like; google