We are migrating to stytch. One of the issues we have is that our users have a email & password.
After they sign in, we want to give them the option to “SSO/oAuth” sign in with Google. However, their google account may not have the same email address as they were using to sign in.
What is the API series of calls to make to make sure that the following works.
- User successfully signs in email@example.com / password
- Joe sees their security page and they can sign up with SSO Google.
- They click the button (resolve the issue between google and stytch), however, their email address on google is firstname.lastname@example.org.
- They come back to the authenticate method and… I’m confused at this point. Keep in mind, that we do NOT know ahead of time, that their email address is different on google.
I suspect the user would create a brand new account. :(, when I wanted to associate the email@example.com account with the google oAuth account.
I have looked thought documentation and forum, but haven’t seen any method for handling this.
I’ll start by mentioning that our B2B auth platform treats emails as the primary key and strongly guarantees them, meaning we expect an end user to be almost always 1:1 with a Stytch Member.
However with that said, I have a few follow up questions to make sure that I understand your use case completely before I provide recommendations.
- In your application, it sounds like you’re making a distinction between “login”, i.e. step one of your example, and SSO, step 2. Can you clarify why you’re treating these two concepts differently? Typically we expect SSO to be the login (and signup) flow by itself, not a second step after user login.
- For your SSO setup, will you be using SAML or OIDC?
Stytch Developer Success
The distinction between login and SSO, is that our users are sometimes confused as to how they logged in the application.
I will sign into my favorite site with an email and password.
For example, I’ll sign into the site as firstname.lastname@example.org & password.
Later, I see the site offers SSO with Google. So, I want to sign in with a single click with Google. however, my Google email address is email@example.com
At this point, Stytch, would create a new account, when I (the user) wants firstname.lastname@example.org to be the same account with email@example.com allowing me to have firstname.lastname@example.org as another email on the same account. I would then be able to use Google SSO to sigin in.
Hey Daniel – got it, thanks so much for that additional information!
I think what you’re looking for is our OAuth attach functionality, which allows you to specify an existing
user_id to add an OAuth account to (even if the email addresses don’t match).
That way, if a user signs into your site as email@example.com but also wants to link their OAuth account associated with firstname.lastname@example.org, you’ll have a way of combining those two login options/ email addresses into one Stytch User.
During the OAuth attach flow, you’ll specify the user’s existing Stytch
user_id before the OAuth flow starts – so your user will need to be logged in at the point when this happens. We generally suggest surfacing some sort of “Link your OAuth account” functionality for logged-in users (ideally during signup) where you complete the OAuth attach flow. After the OAuth attach flow is completed successfully, your user will be able to log in using either email address going forward.
Please let me know if you have questions about this, and I’ll be happy to help!
OMG. I’m so sorry!
I thought that “Attach” was a Provider!
You may want to update the documentation to seperate it from the providers!
Hey Daniel – no worries at all, and thanks for that feedback! I can definitely see how that could be confusing. I’ll file a ticket for us to rethink our OAuth API reference hierarchy
Please let us know if anything else comes up!