Is it possible to login through social providers if the identifiers match even if user did not signup through the provider. Right now there's an explicit extra step to link them, which I think is a good default configuration. Is there a way to login through them without linking if for example emails match. There are some security considerations to think about, but it's a flow that's currently being used; e.g Atlassian

Is there a way to login through them without linking if for example emails match.

I think this is a massive security issue. I have to dig a bit to find the explanation again, but essentially you are opening the door to impersonation, if you don’t add some extra checks (and at that point you can just aswell let the user link the accounts)

That would be great, since I'm looking for an explanation that is convincing enough for not having the feature. So far what I have is that enabling that would compromise the Kratos identity if any of the accounts in configured providers got compromised. Which alone may not be enough to convince for not having it given that it's being used in the wild.

• assume you have signed up using david@company.org to myapp.com • i, the hacker, know this • i create an google account with email david@company.org and sign in • now I am in your account

How do you do the 3rd step

I guess that depends on the email provider and how company.org is handling it 🤔 Also depends if the social login provider does require verified emails and so on. If you want to make a general/sweeping assumption it is unsafe, but for individual cases it might not be.