Can one User use multiple Providers?

[tobiasriemenschneider]

Hi all! I have a kind of high level/general question.

I understand that I can offer multiple authentication strategies ("providers") to users during SignIn.
However, is it possible for a user who used a specific provider during the initial SignIn, to add an additional provider afterwards, so that she can use both providers alternatively.
How would I need to go about it?

Thanks for any ideas/pointers! 🙏

[tobiasriemenschneider]

I just found something in the FAQ section:
https://next-auth.js.org/faq#when-i-sign-in-with-another-account-with-the-same-email-address-why-are-accounts-not-linked-automatically

Providing support for secure account linking and unlinking of additional providers - which can only be done if a user is already signed in already - was originally a feature in v1.x but has not been present since v2.0, is planned to return in a future release.

Looking forward to having this supported in a future version.

[TimNZ]

@tobiasriemenschneider

The section you quote is a different scenario where linking of accounts to a single users record is done by matching the email provided by the provider to an existing users record, when a user is currently not signed into the next-auth app e.g. doesn't have a current session/JWT cookie.
e.g.
if you have a [email protected] at Google, and [email protected] on Facebook, autolinking those two 'accounts' back to the same 'users' record,
when user is not logged into the next-auth app.

What your original post implies is the other common scenario:
If the user is already signed in via any provider,
and then you signIn again using a different provider,
the provider account will be linked to the same user record
single 'users' record -> multiple 'accounts' records,
regardless of what primary emails are on the different provider accounts.

Easy to test:

• Sign in
• Open signin page again and signin using a different provider
• Find multiple 'accounts' records e.g. Google + Linkedin, for a single 'users' record, even if different emails.

[florianheysen]

I've been looking for this for 3 days, thank you! Can we find more information in the docs about linking providers' accounts to an existing account?

[MetaMmodern]

Hello @florianheysen ! Did you find anything? It's it back in any newer version?

[JakubKoralewski]

I'd also like to implement this. Good example of what I'm thinking of is what Discord has with linking Steam, Spotify, Twitch, GitHub etc. to an existing Discord account in Settings/Connections.

[ldmsh]

Yes this is exactly what I was hoping to replicate with NextAuth using custom scopes, but not being able to link accounts is an issue. Have you made any progress on this?

[jasonjei]

I use the Rails doorkeeper assertion gem to help trade access_tokens for my backend API and take advantage of the signIn callback:

[...nextauth].js

  callbacks: {
    async signIn({ user, account, profile, email, credentials }) {
      if (account.provider === 'github' || account.provider === 'facebook') {
        const params = { grant_type: "assertion", 
          client_id: "SECRET API CLIENT ID GOES HERE", 
          client_secret: "SECRET GOES HERE",
          assertion: account.access_token,
          provider: account.provider,
        }
        const res = await fetch("http://api:3001/oauth/token", {
          method: 'POST',
          body: JSON.stringify(params),
          headers: { "Content-Type": "application/json" }
        })
        const token = await res?.json()

        // If no error and we have user data, return it
        if (res.ok && token) {
          const user_res = await fetch("http://api:3001/api/users/current", {
            method: 'GET',
            headers: { "Content-Type": "application/json", "Authorization": "Bearer " + token.access_token }
          })
          const tsUser = await user_res.json()
          user.og_account = { ...account };
          user.access_token = token.access_token;
          user.expires_in = token.expires_in;
          user.refresh_token = token.refresh_token;
          user.created_at = token.created_at;
          user.access_token_expires = Date.now() + token.expires_in * 1000;
        }

      }
      return true
    },

doorkeeper.rb

  resource_owner_from_assertion do
    if server.client && params[:provider] && params[:assertion]
      case params.fetch(:provider)
      when "github"
        auth = Doorkeeper::GrantsAssertion::OmniAuth.oauth2_wrapper(
          provider: "github",
          strategy_class: OmniAuth::Strategies::GitHub,
          client_id: ENV["SECRET"],
          client_secret: ENV["SECRET"],
          client_options: { skip_image_info: false },
          assertion: params.fetch(:assertion)
        ).auth_hash rescue nil
        unless auth.nil?
          # your custom finders - just like in devise omniauth
          User.find_by(email: auth&.info&.email)
          user = User.find_or_create_by(email: auth&.info&.email)
          user.password = Array.new(25){[*"A".."Z", *"0".."9"].sample}.join if user.new_record?
          user.save if user.changed?
          user 
        end
      when "facebook"
        puts auth.inspect
        auth = Doorkeeper::GrantsAssertion::OmniAuth.oauth2_wrapper(
          provider: "facebook",
          strategy_class: OmniAuth::Strategies::Facebook,
          client_id: ENV["SECRET"],
          client_secret: ENV["SECRET"],
          client_options: { skip_image_info: false },
          assertion: params.fetch(:assertion)
        ).auth_hash rescue nil
        unless auth.nil?
          # your custom finders - just like in devise omniauth
          User.find_by(email: auth&.info&.email)
          user = User.find_or_create_by(email: auth&.info&.email)
          user.password = Array.new(25){[*"A".."Z", *"0".."9"].sample}.join if user.new_record?
          user.save if user.changed?
          user 
        end
      end
    end
  end