network icon indicating copy to clipboard operation
network copied to clipboard
verified publisher icon ory

Presented with a prompt to link account using password when pre-existing account does not use password auth method

Open markaduol opened this issue 1 year ago • 7 comments

Preflight checklist

Ory Network Project

https://interesting-mcnulty-i7fnu6z46n.projects.oryapis.com

Describe the bug

When trying to sign-in with SSO, I am presented with a prompt to link my account using a password even though my pre-existing account does not use the password auth method

Steps to reproduce:

  1. Setup Enterprise SSO connection and via self-service registration, create an account that is managed by the SSO organisation.
  2. Remove the Google OIDC connection for my Enterprise SSO organisation
  3. On the same organisation, setup a new Google OIDC connection
  4. The OIDC connection now has a different redirect URI
  5. Try to sign in with SSO
  6. Run into this prompt asking me to link my account by providing a password
  7. Can't provide a password because my account has no password auth method (only the outdated OIDC auth method)
  8. Therefore, can't link account and so can't login using the new OIDC connection Screenshot 2024-11-14 at 10 40 43

Reproducing the bug

Follow steps described in the previous section

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Ory Network

Additional Context

No response

markaduol avatar Nov 14 '24 10:11 markaduol

Furthermore, the CX in the ticket description occurs only when login hints are not enabled. When they are enabled, no form field is displayed.

Screenshot 2024-11-14 at 10 50 32

markaduol avatar Nov 14 '24 10:11 markaduol

Thanks for the report! This is what I found out so far:

  • If you delete the old OIDC SSO connection, the credential is still part of the identity, so if you then use the new OIDC connection, it wants to use the previous credentials to confirm
  • Since that is deleted, you get an empty screen (when login hints are enabled); when login hints are disabled, you get a generic collection of authentication methods, because it mustn't tell you the available credentials

This also applies to other flows that use account linking, but then you usually can recover your account.

I can think of two ways to resolve this

  • special-case account linking to allow linking of accounts between providers of the same organization
  • allow to confirm account linking using the code or link strategy (getting a code sent to the user's email address).

@jonas-jonas @aeneasr WDYT?

hperl avatar Nov 14 '24 11:11 hperl

allow to confirm account linking using the code or link strategy (getting a code sent to the user's email address).

I found that the code linking strategy allows me to complete account linkage and sign in successfully. However, the only issue is that it comes with a confusing UI on the registration and login pages.

Standard login page

Screenshot 2024-11-14 at 11 19 27 copy

After filling in email with an email domain targeted by the Enterprise org

Screenshot 2024-11-14 at 11 20 14 copy

markaduol avatar Nov 14 '24 11:11 markaduol

The UI will improve with the new release of ory elements. Right now this appears to be an edge case because it involves multiple steps that are not very common (removing an org and then re-adding the same provider again). As such we can keep the report open but I would not expect a timely resolution

aeneasr avatar Nov 14 '24 11:11 aeneasr

Does this mean it is not possible to remove an Enterprise SSO org and still support basic registration and login?

markaduol avatar Nov 14 '24 15:11 markaduol

It means that this sequence is not fully supported:

Steps to reproduce:

  1. Setup Enterprise SSO connection and via self-service registration, create an account that is managed by the SSO organisation.
  2. Remove the Google OIDC connection for my Enterprise SSO organisation
  3. On the same organisation, setup a new Google OIDC connection
  4. The OIDC connection now has a different redirect URI
  5. Try to sign in with SSO
  6. Run into this prompt asking me to link my account by providing a password
  7. Can't provide a password because my account has no password auth method (only the outdated OIDC auth method)
  8. Therefore, can't link account and so can't login using the new OIDC connection

If your user does not have an auth method, it is not possible to securely link them to the account. How would it? In general, don't remove OIDC providers once they're used by someone to log in, as you risk locking them out of their account.

Because B2B SSO disables account recovery, you essentially removed ALL auth methods for the user, and a way for them to recover. The account is simply bricked until you intervene, reset the org id on the user, reset their account, and then ask them to link again.

Now that I'm writing this, I don't think this is a use case we would support. We should probably document it that it's a really, really bad idea to remove 3rd party sign in providers after users have used them to sign in.

aeneasr avatar Nov 14 '24 15:11 aeneasr

The ideal solution in this case would be to prevent an account from ever falling into this state - even accidentally. It is like the equivalent of allowing a process to enter a deadlock.

I would even argue that the previous issue, emerged by allowing an account to enter a state where in which no auth methods were available. Issue: https://github.com/ory/network/issues/399

There should probably be some static check verifying that at any given point, an account has at least one auth method that can be used for sign-in.

markaduol avatar Nov 14 '24 17:11 markaduol