-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Presented with a prompt to link account using password when pre-existing account does not use password auth method #400
Comments
Thanks for the report! This is what I found out so far:
This also applies to other flows that use account linking, but then you usually can recover your account. I can think of two ways to resolve this
@jonas-jonas @aeneasr WDYT? |
I found that the code linking strategy allows me to complete account linkage and sign in successfully. However, the only issue is that it comes with a confusing UI on the registration and login pages. Standard login pageAfter filling in email with an email domain targeted by the Enterprise org |
The UI will improve with the new release of ory elements. Right now this appears to be an edge case because it involves multiple steps that are not very common (removing an org and then re-adding the same provider again). As such we can keep the report open but I would not expect a timely resolution |
Does this mean it is not possible to remove an Enterprise SSO org and still support basic registration and login? |
It means that this sequence is not fully supported: Steps to reproduce:
If your user does not have an auth method, it is not possible to securely link them to the account. How would it? In general, don't remove OIDC providers once they're used by someone to log in, as you risk locking them out of their account. Because B2B SSO disables account recovery, you essentially removed ALL auth methods for the user, and a way for them to recover. The account is simply bricked until you intervene, reset the org id on the user, reset their account, and then ask them to link again. Now that I'm writing this, I don't think this is a use case we would support. We should probably document it that it's a really, really bad idea to remove 3rd party sign in providers after users have used them to sign in. |
The ideal solution in this case would be to prevent an account from ever falling into this state - even accidentally. It is like the equivalent of allowing a process to enter a deadlock. I would even argue that the previous issue, emerged by allowing an account to enter a state where in which no auth methods were available. Issue: #399 There should probably be some static check verifying that at any given point, an account has at least one auth method that can be used for sign-in. |
Preflight checklist
Ory Network Project
https://interesting-mcnulty-i7fnu6z46n.projects.oryapis.com
Describe the bug
When trying to sign-in with SSO, I am presented with a prompt to link my account using a password even though my pre-existing account does not use the password auth method
Steps to reproduce:
Reproducing the bug
Follow steps described in the previous section
Relevant log output
No response
Relevant configuration
No response
Version
Ory Network
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered: