Hi, I am using flask and the python SDK to give my users the ability to register / login using Magic Links or Google OAuth. It seems if I start the flow with a Magic Link and register that way, then log out and try to again using Google OAuth with the same email address, the user gets redirected to a stytch hosted page stating:
{“status_code”:400,“request_id”:“request-id-test-xxxxxxx”,“error_type”:“duplicate_email”,“error_message”:“A user with the specified email already exists for this project.”,“error_url”:“Authentication API reference - errors | Stytch”}
I thought Stytch would merge this with the existing user if they are both from verified sources (Magic Link email / Google OAuth). When I try the hosted Demo app it seems to not have an issue with this, I am not sure what I am doing wrong or if there is a setting I need.
The Magic Link I am using Login or Create method (Authentication API reference - log in or create user by email | Stytch). Since the user is not logged in at start of the Google OAuth, there is no way to use Attach in the OAuth flow since I don’t know what/who is logging in when they click the Google OAuth button.
Wanted to add some more info here after testing:
This seems to be behaving fine for @gmail.com accounts – regardless of order of magic link / login as google it seems to merge properly, however my custom domain that I use with google does not (@kaplin.tech).
I tested the @gmail.com accounts both ways, creating acct via magic link and logging in with google after, and vice versa and worked perfect.
My custom domain will not merge the google and magic link together, if I try google first it will create an account, then magic link will create its own account seperately so I end up with 2 accounts and then log in with google no longer works (gives the message from first post), but the magic links will continue to work. If I do magic link first, google just fails before it can even make an account on stytch.
Hey Mark,
Thanks so much for posting and for providing the follow-up context from troubleshooting!
Looking on our end, I’m seeing several different user_ids for your @kaplin.tech email address across several different Stytch projects.
My custom domain will not merge the google and magic link together, if I try google first it will create an account, then magic link will create its own account seperately so I end up with 2 accounts and then log in with google no longer works (gives the message from first post), but the magic links will continue to work.
Would you mind sending over the two user_ids corresponding to this particular scenario, where two separate user_ids in the same project have the same email address?
Sure thing, I just cleared out all my users in both test / live on my project to get a clean start,
Here are the user_ids in my test environment on project “AegisG”
user-test-c1992293-25cb-4ca0-b33e-275fe38ae684
user-test-8eb2dc67-01db-47be-a062-2361dfb28538
Steps taken: Logged in with google to with my @kaplin.tech. Logged out, then used magic link to my @kaplin.tech
Now can’t login via google (and 2 accounts created on project).
When trying to log in with google:
{"status_code":400,"request_id":"request-id-test-04484abc-ab67-43b4-9ccd-0aafcb6bb4be","error_type":"duplicate_email","error_message":"A user with the specified email already exists for this project.","error_url":"https://stytch.com/docs/api/errors/400#duplicate_email"}
Hey Mark – thanks so much for that additional information! That’s really helpful.
It looks like the issue here is due to some User reactivation logic that’s causing two separate Stytch Users (user-test-c1992293-25cb-4ca0-b33e-275fe38ae684 and user-test-8eb2dc67-01db-47be-a062-2361dfb28538) associated with the same email address to be reactivated depending on which product you’re using, and is thus causing duplicate_email errors.
It looks like you got into this state by explicitly adding your email address to user-test-8eb2dc67-01db-47be-a062-2361dfb28538 by including that user_id in a Magic Links Send request after having created and deleted user-test-c1992293-25cb-4ca0-b33e-275fe38ae684 via Google OAuth. From that point forward, any Magic Links requests for that email address corresponded to (and revived, if deleted) user-test-8eb2dc67-01db-47be-a062-2361dfb28538, while any OAuth requests for that email address corresponded to (and revived, if deleted) user-test-c1992293-25cb-4ca0-b33e-275fe38ae684. When both Users became active at the same time, duplicate_email errors started occurring.
All of that said – this is unintended behavior, and we currently have a project underway to totally remove the User reactivation logic that is causing this to happen. After that project is complete, you should no longer run into this edge case.
In the meantime, we’d be happy to permanently delete both of those Test Users to unblock you from further testing. Is that something you’d like us to do? I apologize for the trouble!
Thank you for investigating, I didn’t realize deleting them out would not truly delete them out but I get it now. Yes please clean it up for me if you don’t mind. Thanks!
Of course! Our team is out today celebrating July 4th, but we should be able to permanently delete those two Users sometime tomorrow. I’ll let you know as soon as that’s complete!
Hey Mark – we’ve deleted those two Users, and you should be able to continue testing with a clean slate. Please let us know if any other questions come up!