Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user journey that does not create duplicate accounts #49

Open
canoas opened this issue Apr 23, 2019 · 5 comments
Open

user journey that does not create duplicate accounts #49

canoas opened this issue Apr 23, 2019 · 5 comments

Comments

@canoas
Copy link

canoas commented Apr 23, 2019

Is it possible to simply merge an account when the same email is already verified in an existing account?
How to reproduce:

  1. signup/signin at https://wingtipgamesb2c.azurewebsites.net with local account (email1)
  2. logoff
  3. signup/signin with facebook (email1) - ISSUE: A new object is created here, IMHO it should offer to merge (link automatically)
  4. logoff
  5. signin with local (email1)
  6. ID Menu: "link social",
    use same facebook (Email1) and we get this error:

Account link error
We can't link your WingTip Toys account to your social account because your social account already exists.

ISSUE 2: Merge is not possible without first deleting an account

Is any of these issues possible to customize by using this policy framework?
thank you
@xinaxu
Copy link
Contributor

xinaxu commented May 29, 2019

It is indeed possible.
At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account.
Several caveats to be aware when you decide to go with this path

  1. Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
  2. From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.

For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.

@filipemiguelaugusto
Copy link

@xinaxu Is it possible to have an example how to accomplish the step in the policy to do the account discovery in AAD that you suggested?

@xinaxu
Copy link
Contributor

xinaxu commented Jun 14, 2019

It can be achieved using Validation Technical Profiles and Preconditions. https://docs.microsoft.com/en-us/azure/active-directory-b2c/validation-technical-profile
You can have 3 validation technical profiles.

  1. Get User from AAD using email address, and do not throw error if the user does not exist
  2. Link Facebook account to that AAD user. This technical profile is only executed when the objectId exists using Precondition
  3. Create new AAD user. This technical profile is only executed when the objectId does not exist using Precondition

@canoas
Copy link
Author

canoas commented Jul 22, 2019

It is indeed possible.
At step3, when you get the email address from Facebook, you can make an account discovery in AAD using that email address as username. If it exists, you can merge Facebook account into that existing AAD account. If not, create new AAD account.
Several caveats to be aware when you decide to go with this path

  1. Not all users from Facebook provide their email address, when they grant permission to the app, they have an option to not provide email address
  2. From security stand of point, you will be relying on Facebook properly verifying the email address of the user. If Facebook allows unverified email address, it can be exploited to gain user access to those existing account.

For your second issue, I assume you are talking about there are already two accounts and you would like to merge them. In the policy, technically you can have a AAD technical profile to delete one account, merge their claims and update the other account. The caveat here is that the relying website need to handle the merge case for example, how to merge the reward points of two users.

We don't care if the user does not have a verified email or is not showing the email in the consent, what we want is a fluid and intuitive user journey for 99% of the cases. As I explained with the documented wingtipgamesb2c example, the current demo policies are not implemented as a good reference and whoever did this docs/examples could fix this with the suggested pre-condition. At least not creating a duplicate AAD entry when the verified email is a match (precondition).
@xinaxu, a great answer would be a link to a commit/fork with the changed parts we need to do in the xml files ;-)
thank you, at least you gave us a light at the end of the tunnel, now we just need to learn how to program profiles using xml.

@MichielCornilleESC
Copy link

@canoas did you eventually manage to get this working? It was the first question from the business "Why are there duplicates created" on a new project I'm working on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@canoas @filipemiguelaugusto @xinaxu @MichielCornilleESC