You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 21, 2020. It is now read-only.
It is possible for clients to send a token for an existing user that does not have the accountLinkId, even though the user has one assigned to them and an entry in the database.
User logs in/creates an account. The token sent to create the account has no accountLinkId
As part of creating an account, we assign a uuid as the accountLinkId and update the user record held at Auth0
Subsequent requests from this user still holds a token with no accountLinkId
Here lies a potential never-ending loop of multiple accounts for the same user, until the user logs out and in again to gain their new token.
There is scope for setting the accountLinkId over in Auth0, so every token has an accountLinkId from the very first login.
Do we still need to handle the case for if we end up setting it here because it is missing? I think it would lead to some crappy UX having to invalidate the token and having new users log out and in again.
I am going to raise a PR that will add the current rules we have set in Auth0 to this repo. Just so we all have some visibility of them and what they are doing.
The text was updated successfully, but these errors were encountered:
In looking into the accountLinkId issue , I found it was as simple as adding uuid() inside the rule, so I have. See #108 for details on the rule.
As always, I am open to changes.
We still need to discuss how we handle cases for if the accountLinkId is missing. This could happen if the incorrect scope was requested when logging a user in.
It is possible for clients to send a token for an existing user that does not have the
accountLinkId
, even though the user has one assigned to them and an entry in the database.accountLinkId
uuid
as theaccountLinkId
and update the user record held at Auth0accountLinkId
There is scope for setting the
accountLinkId
over in Auth0, so every token has anaccountLinkId
from the very first login.Do we still need to handle the case for if we end up setting it here because it is missing? I think it would lead to some crappy UX having to invalidate the token and having new users log out and in again.
I am going to raise a PR that will add the current rules we have set in Auth0 to this repo. Just so we all have some visibility of them and what they are doing.
The text was updated successfully, but these errors were encountered: