Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth: Unlink social account from main authn account #252

Closed
diegosperes opened this issue Mar 26, 2024 · 2 comments
Closed

Oauth: Unlink social account from main authn account #252

diegosperes opened this issue Mar 26, 2024 · 2 comments

Comments

@diegosperes
Copy link
Contributor

diegosperes commented Mar 26, 2024
edited

Authn offers a feature that enables users to connect their accounts with their social media profiles. However, this has created a need for a feature that allows users to disconnect their social media accounts. The current issue is to develop a way in Authn that enables users to unlink social media account.

Proposed Solution:

Create a new HTTP DELETE endpoint to unlink the user's current session from their social media accounts. This endpoint will be public. The frontend needs to adhere to the following contract:

DELETE /oauth/provider

In that case provider can be one of the supported oauth providers like; google
@AlexCuse
Copy link
Contributor

AlexCuse commented Mar 26, 2024
edited

This is a good idea. A few considerations that come to mind -

  • I assume a corresponding public endpoint GET /oauth/providers would be needed to enumerate providers enabled for a session and enable the unlink from front end.
  • It might make sense to add configured providers to the private GET /accounts/id endpoint. A private endpoint to handle unlink by ID for administrative users might be valuable as well.
  • do we want to ensure that another means to login to the account is maintained? Oauth accounts are created with a random password currently. Password reset is probably an option for most users.
  • Is there any revocation we want to support with the provider(s) or is it sufficient to just "forget" the user's oauth account? I think a user re-entering the oauth flow with a previously issued provider ID shouldn't cause any problems for authn but we'd want to be sure.
  • Flip side of above, what if the user revokes access through the provider? Is there a way to handle re-link in that scenario? (maybe this one is separate issue)

@diegosperes diegosperes mentioned this issue Mar 28, 2024
Merged
@diegosperes
Copy link
Contributor Author

@AlexCuse Thanks for your comments.

I've submitted a PR that implements the unlink feature, taking into account all your suggestions during development.

To address your queries:

Regarding whether we need to support any revocation with the provider(s) or if it's sufficient to just "forget" the user's OAuth account, my tests indicate that simply "forgetting" the user's OAuth account allows the user to reenter the OAuth flow without any issues.

As for the scenario where a user revokes access through the provider and how to handle re-linking in that case, this is already implemented. The user simply needs to give consent again to use social login.

@diegosperes diegosperes mentioned this issue Apr 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlexCuse @diegosperes