does anyone have any insight into how to handle ac...
# ory-selfhostingc
cold-insurance-50617
03/07/2025, 2:01 PMdoes anyone have any insight into how to handle account linking during the login flow?
currently the only way I can perform post account link actions during login flow is by using an after login hook and inspecting the
ctx.flow.request_urlm
magnificent-energy-493
03/08/2025, 6:34 PM
Hey @cold-insurance-50617
For Ory Kratos there is something built-in: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account
I would discourage automatic account linking (aka linking without the user proving that they own the account), as that can lead to account takeover. Sure, there are providers (like e.g. Google) where it is less problematic, but even for those there are edge-cases where it can become problematic.
c
cold-insurance-50617
03/10/2025, 6:22 AMok thanks for the reply, is the recommendation of the ory team to just not support account linking at all or this there a recommended pattern that allows joining accounts while limiting the risk of account takeover
m
magnificent-energy-493
03/10/2025, 12:40 PM
Hello @cold-insurance-50617
the recommendation is to use the account linking method that is implemented and documented here: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account
Quoting from the docs, this is how it works:
1. The user creates an account with the identifierand a password.<mailto:alice@example.com|alice@example.com>
2. When signing in later, the user signs in with a social sign-in provider. That social sign-in account (through the OIDC userinfo endpoint or the identity token) contains the same identifier.<mailto:alice@example.com|alice@example.com>
3. Since the identifier already exists, the user can't be logged in directly. Instead, the user will be prompted to enter the password chosen in step 1.
4. After entering the correct password, the social sign-in is linked to the user's account. Now they can sign in with either password or social sign-in provider.please let me know if that is clear, or if you understand something different under "account linking"
c
cold-insurance-50617
03/11/2025, 10:48 AM@magnificent-energy-493 this is the flow I am currently implementing, relying on ory to identify email collisions and only linking accounts where that is the case.
my original post was about the hooks available during this flow, I need to perform some internal business logic when a user registers via discord for example, and when that happens via an account link in the flow you described its a little confusing where to place this logic as there doesn't seem to a hook for it.
the after registration hook will fire, but it does so before the user confirms ownership via the secondary account (google in the example I provider)
what I am looking for is a hook of sorts that fires when the user has successfully verified and linked the new provider
please let me know if I am missing something
cold-insurance-50617
03/13/2025, 2:28 PMjust wanted to follow up on this, the only way I was able to handle successful account linking in a hook was by using an
after logincontext.flow.ui.messagesduplicateProviderprovideridprovidersubjectidentity_credentials Copy code
func getDuplicateProvider(payload AfterLoginWebhookPayload) string {
// Defensive check: payload or messages could be nil
if payload.Context.Flow.UI.Messages == nil {
return ""
}
var email = payload.Context.Identity.Traits.Email
for _, msg := range *payload.Context.Flow.UI.Messages {
var ctx = msg.Context
if ctx == nil || ctx.DuplicateIdentifier == nil || ctx.Provider == nil {
continue
}
if *ctx.DuplicateIdentifier == email {
return *ctx.Provider
}
}
return ""
}13 Views