Congratulations, this is a big release. Some great features in there. Love the phone number as a first class citizen, something we've been considering for a while.
(I work for a competitor, FusionAuth.)
I noticed account linking, between social accounts and existing accounts, based on email matching, was a new feature.
The document walks through the "linking an existing account with a password to social account" scenario. I was wondering if there was also the ability to go the other way, from an existing social account to adding a password?
How do you handle the case where Alice signs up with a username of alice@example.com but later wants to link alice@gmail.com?
I also wonder if you can block account linking on a per user basis or if it is enabled for everyone in a system.
We do have all edge cases brought to us solved in terms of account linking and the recent changes further improve the user experience in these scenarios. There are many credential types around these days from passkeys to OTP codes to passwords and OIDC. The biggest challenge is always ensuring the flows are secure which is the hardest part in our view.
ps: I find it a tad frustrating that on every Ory post FusionAuth is shilling in the comments, even if the comment is tangential but clearly intended (through links and name dropping) to draw attention away. It would be much better if FusionAuth focused on releasing open source themselves and truly contributed back to the security community instead.
That's great you covered all the use cases you've seen. I'm sure you'll continue to build out this useful functionality. Agree that making sure the flows are secure is critical.
> ps: I find it a tad frustrating that on every Ory post FusionAuth is shilling in the comments, even if the comment is tangential but clearly intended (through links and name dropping) to draw attention away.
Hmmm. Appreciate the feedback. I try to avoid shilling, be upfront about my employment, and add useful comments to any auth related posts on HN, not just those about Ory.
I have a lot of respect for what Ory has built (for example, I featured your post about multi-region CIAM in my CIAM newsletter: https://ciamweekly.substack.com/p/multi-region-ciam ), but I will bring my own perspective to my comments, and that is definitely colored by my experience at FusionAuth as well as the fact they employ me.
Glad I am not the only one who noticed, and not just Ory posts. Once in a while, the leading question and last paragraph of how “my product X solves this” is okay. Sometimes even informative. But too often and bleh it is like spam.
My experience is that in general edge cases are not kratos strong suit. Works very well for the base case but anything fancy you are generally on your own. But I don't mind since it is OSS and someone can contribute/fork if they it.
(I work for a competitor, FusionAuth.)
I noticed account linking, between social accounts and existing accounts, based on email matching, was a new feature.
It's documented here: https://www.ory.sh/docs/kratos/social-signin/link-multiple-p... I believe.
The document walks through the "linking an existing account with a password to social account" scenario. I was wondering if there was also the ability to go the other way, from an existing social account to adding a password?
How do you handle the case where Alice signs up with a username of alice@example.com but later wants to link alice@gmail.com?
I also wonder if you can block account linking on a per user basis or if it is enabled for everyone in a system.
We've had account linking for a few years (documentation here: https://fusionauth.io/docs/lifecycle/authenticate-users/iden... ) and have had customers bring up some edge cases like this.