Presented with a prompt to link account using password when pre-existing account does not use password auth method

[markaduol]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

https://interesting-mcnulty-i7fnu6z46n.projects.oryapis.com

Describe the bug

When trying to sign-in with SSO, I am presented with a prompt to link my account using a password even though my pre-existing account does not use the password auth method

Steps to reproduce:

1. Setup Enterprise SSO connection and via self-service registration, create an account that is managed by the SSO organisation.
2. Remove the Google OIDC connection for my Enterprise SSO organisation
3. On the same organisation, setup a new Google OIDC connection
4. The OIDC connection now has a different redirect URI
5. Try to sign in with SSO
6. Run into this prompt asking me to link my account by providing a password
7. Can't provide a password because my account has no password auth method (only the outdated OIDC auth method)
8. Therefore, can't link account and so can't login using the new OIDC connection
   

Reproducing the bug

Follow steps described in the previous section

Relevant log output

No response

Relevant configuration

No response

Version

Ory Network

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Ory Network

Additional Context

No response

[markaduol]

Furthermore, the CX in the ticket description occurs only when login hints are not enabled. When they are enabled, no form field is displayed.

[hperl]

Thanks for the report! This is what I found out so far:

• If you delete the old OIDC SSO connection, the credential is still part of the identity, so if you then use the new OIDC connection, it wants to use the previous credentials to confirm
• Since that is deleted, you get an empty screen (when login hints are enabled); when login hints are disabled, you get a generic collection of authentication methods, because it mustn't tell you the available credentials

This also applies to other flows that use account linking, but then you usually can recover your account.

I can think of two ways to resolve this

• special-case account linking to allow linking of accounts between providers of the same organization
• allow to confirm account linking using the code or link strategy (getting a code sent to the user's email address).

@jonas-jonas @aeneasr WDYT?

[markaduol]

allow to confirm account linking using the code or link strategy (getting a code sent to the user's email address).

I found that the code linking strategy allows me to complete account linkage and sign in successfully. However, the only issue is that it comes with a confusing UI on the registration and login pages.

Standard login page

After filling in email with an email domain targeted by the Enterprise org

[aeneasr]

The UI will improve with the new release of ory elements. Right now this appears to be an edge case because it involves multiple steps that are not very common (removing an org and then re-adding the same provider again). As such we can keep the report open but I would not expect a timely resolution

[markaduol]

Does this mean it is not possible to remove an Enterprise SSO org and still support basic registration and login?

[aeneasr]

It means that this sequence is not fully supported:

Steps to reproduce:

1. Setup Enterprise SSO connection and via self-service registration, create an account that is managed by the SSO organisation.
2. Remove the Google OIDC connection for my Enterprise SSO organisation
3. On the same organisation, setup a new Google OIDC connection
4. The OIDC connection now has a different redirect URI
5. Try to sign in with SSO
6. Run into this prompt asking me to link my account by providing a password
7. Can't provide a password because my account has no password auth method (only the outdated OIDC auth method)
8. Therefore, can't link account and so can't login using the new OIDC connection

If your user does not have an auth method, it is not possible to securely link them to the account. How would it? In general, don't remove OIDC providers once they're used by someone to log in, as you risk locking them out of their account.

Because B2B SSO disables account recovery, you essentially removed ALL auth methods for the user, and a way for them to recover. The account is simply bricked until you intervene, reset the org id on the user, reset their account, and then ask them to link again.

Now that I'm writing this, I don't think this is a use case we would support. We should probably document it that it's a really, really bad idea to remove 3rd party sign in providers after users have used them to sign in.

[markaduol]

The ideal solution in this case would be to prevent an account from ever falling into this state - even accidentally. It is like the equivalent of allowing a process to enter a deadlock.

I would even argue that the previous issue, emerged by allowing an account to enter a state where in which no auth methods were available. Issue: #399

There should probably be some static check verifying that at any given point, an account has at least one auth method that can be used for sign-in.