logto icon indicating copy to clipboard operation
logto copied to clipboard

Published 20 hours ago verified publisher icon logto-io

feature request: Account Linking and OAuth Extra Scopes Support

Open maleksal opened this issue 1 year ago • 4 comments

What problem did you meet?

The main goal is to provide users of the app with the capability to link multiple accounts from different authentication providers without the need for separate account creation. Also, the ability to pass extra scopes during social OAuth.

Problems:

  • Lack of clarity regarding the process of obtaining the provider token or whether it is supported by Logto.

Describe what you'd like Logto to have

Let's consider a specific example to illustrate the problem. Imagine a user, James, who is logged into the app using his primary Gmail account, [email protected]. James also has another Gmail account, [email protected], which he wants to connect and import contacts into the app.

By linking his [email protected] account to his primary [email protected] account, James aims to import contacts from [email protected] without having to create a separate account. This would enable him to leverage the combined functionalities and resources of both accounts within the app.

To make the desired functionality achievable, the following capabilities are needed:

  1. Ability to include additional scopes when performing an OAuth sign-in. This would allow to request access to specific permissions or resources.
  2. Ability to obtain the access_token from the OAuth provider.
  3. Account linking functionality or, at the very least, the ability to only retrieve the necessary tokens.

maleksal avatar May 24 '23 08:05 maleksal

@maleksal Could you provide some more context on what circumstances you will need the access_token issued by a third party through logto? If you connect Logto with an IDP, that should be one time call only just to get a verified identity.

simeng-li avatar May 25 '23 06:05 simeng-li

Thank you @simeng-li our use case is we want to use the token obtained after the user signs in using OAuth to fetch user emails using IMAP.

For example the use connects to our dashboard the first time and creates account using social login, and then inside the dashboard the user can connect to another google account and import his emails and also can connect to outlook and import his emails.

maleksal avatar May 25 '23 09:05 maleksal

Hi, we had a brief team review about the feature you asked for. First of all, greatly appreciate it. That is a nice use case we haven't thought about.

There are a few limitations with the current version of Logto:

  1. We do not support binding multiple social accounts from the same provider to the same Logto user account yet. A newly bonded Gmail account will overwrite the existing one on file.

  2. As I mentioned earlier, currently, Logto can only manage the authorization tokens and sessions granted by itself. All the third-party IDP connectors only provide verified social identities to Logto, a.k.a. The authentication flow. A further continuing authorization interaction is needed here.

To meet your product needs, Logto might need a separate module or system to maintain and manage all those third-party IDPs' authorization data. E.g., multiple Google account authorization tokens and scopes in your case. There are quite some works to do before we can flawlessly support that. Considering our current workload and the resources we have, we might need to put this backlog at the moment. But definitely, sth we are going to support it in the future. Thx again for bringing this up with us. I have created a to-do tracker internally and will keep this thread open for reference.

simeng-li avatar May 26 '23 10:05 simeng-li

Really a must have feature. Thanks for your awesome work so far. Keep it going.

zolero avatar Jun 09 '23 20:06 zolero