User account linking
Ory allows users to link their accounts to social sign-in providers after they sign up, as well as un-link social sign-in providers they previously added.
Users can link their accounts only to social providers you configured in your Ory project.
Users can link and unlink accounts:
- to start signing in with a profile created in a social sign-in provider when they originally signed up with email and password
- to link another social sign-in provider to their profile so that they can sign in with their GitHub profile and their Facebook profile
- to remove a social sign-in provider link from the profile (possible only when multiple sign-in methods are available to prevent locking users out from accounts)
Link accounts
Users can link accounts manually through their account's settings page. To try out account linking, use the Ory Account Experience. Follow these steps:
- Configure at least two sign-up methods in your Ory project. One of these methods must be through a social sign-in provider.
- Go to your project's Ory Account Experience at
https://$PROJECT_SLUG.projects.oryapis.com/ui
and sign up. - After you sign up, go to Account Settings and navigate to the Social Sign In section.
- Select one of the buttons to link an available social sign-in provider.
Unlink accounts
Users with multiple sign-in methods can unlink social sign-in providers from their account through their account's settings page. To try out account un-linking, use the Ory Account Experience. Follow these steps:
- Go to your project's Ory Account Experience at
https://$PROJECT_SLUG.projects.oryapis.com/ui
and sign in with a user account with multiple sign-in methods available. - Go to Account Settings and navigate to the Social Sign In section.
- Use the buttons to unlink a social sign-in provider.
Automatic account linking
Users can link social sign-in accounts on login automatically using a secure flow. This is how it works:
- The user creates an account with the identifier
alice@example.com
and a password. - When signing in later the user clicks to sign in with a social sign-in provider. That social sign-in account (through the OIDC
userinfo endpoint or the identity token) contains the same identifier
alice@example.com
. - Since the identifier is registered already, the user cannot be logged in directly. Instead the user will be prompted to enter the password chosen in step 1.
- After entering the correct password, the social sign-in is linked to the user's account. Now they can sign in with either password or social sign-in provider.
Security considerations
Automatic account linking can be a security risk. Consider this scenario:
- Your application allows users to create new accounts or sign in with ACME.
- John creates an account with his email
john@doe.com
. - Malicious actors create an ACME account for
john@doe.com
. - They sign up in your app using this ACME account.
- Your system, detecting duplicate accounts, prompts for account linking.
- Malicious actors link the accounts, gaining access to John's account.
To prevent this users need to verify an additional credential before the accounts can be linked. In the scenario above, the
malicious actors would be prompted to enter the password associated with the jon@doe.com
identifier.