Hey all 👋 I'm trying to set up multiple social login options, but because Kratos prevents automatic account linking, it looks like I'm forced to tell my users to first log in with either their previously used social account or the classic email+pwd method, and then link their account to a new social one. I totally get the security reasons behind this, but in terms of user experience, this is far from ideal IMO, and doesn't seem like a common thing across other apps we use every day. Would anyone be able to provide best practices?

That's the only supported way right now. What you could do is ask the user to link more social sign ins after registration on your platforms on-boarding screen or make it clear where they could link more. The API for this is quite versatile and doesn't require you to show all profile settings.

Thanks a lot, @proud-plumber-24205. That's a bummer; it kinda defeats the purpose of Social Login only to provide one option in my opinion. In my experience, most platforms nowadays allow automatic account linking, providing a seamless user experience. If, as a user, I see that I can't log in with this particular social provider, there is a chance I'm going to give up instead of taking the step of tweaking my settings. Overall I feel like this will create situations where teams implement workarounds to support multiple providers, creating security concerns since it's not officially supported.

But you can sign up with any provider and then link another after as long as you have a session. The problem with just linking providers is that it could cause account takeovers. e.g. I link facebook on registration but my google account with the same email is compromised. Now the attacker just has to select sign in with Google and the account has been taken over.

Yes, there is a risk of account takeovers indeed. My 2 cts is that since not allowing auto-linking is a deal breaker for many users, Social Login ends up being not used. If the only fallback option is regular email + pwd, you definitely lose security-wise, and in terms of user experience as well. Therefore auto-linking is probably worth the risk IMO. A lesser of two evils situation 🙂 But anyway, thanks for your answers; we'll find a workaround and happily contribute if we can!