Important error – mixing identities

Resolved mmki
(@mmki)

7 years, 1 month ago
Hi @auth0josh,

I’ve found this error using Login by Auth0 wordpress plugin but I can recreate it with Auth0 API.

Using Auth0 API I can get user by id, the problem is, that the same id is used among different database connections but getting the user by id I don’t specify which connection I want to use therefore I can get wrong identity.

For example:

I have one email address and I use it to create accounts in different database connections (one email address has many identities).

Using the API /api/v2/users-by-email I pass ‘[email protected]’ and I get something like this:
```
[
  {
    "username": "foo_1",
    "email": "[email protected]",
    "user_id": "auth0|1",
    ...
    "identities": [
      {
        "user_id": "1",
        "provider": "auth0",
        "connection": "CONNECTION_1",
        "isSocial": false
      }
    ],
    ...
  },
  {
    "nickname": "foo_2",
    "email": "[email protected]",
    "user_id": "auth0|1"
    ...
    "identities": [
      {
        "user_id": "1",
        "provider": "auth0",
        "connection": "CONNECTION_2",
        "isSocial": false
      }
    ],
    ...
  },
  {
    "email": "[email protected]",
    "name": "foo_3",
    "user_id": "auth0|1",
    ...
    "identities": [
      {
        "user_id": "1",
        "provider": "auth0",
        "connection": "CONNECTION_3",
        "isSocial": false
      }
    ],
   ...
  }
]
```
Then I run GET /api/v2/users/{id} and pass auth0|1 and get one of the three identities. I don’t have to specify which connection to use:
```
{
  "nickname": "foo_2",
  "email": "[email protected]",
  "user_id": "auth0|1",
  ...
  "identities": [
    {
      "user_id": "1",
      "provider": "auth0",
      "connection": "CONNECTION_2",
      "isSocial": false
    }
  ],
  ...
}
```
This error affected my wordpress sites too.
Recently I’ve set up new wordpress installation with Auth0 plugin. I’ve registered new user account there (let’s say [email protected]) and I’ve found that I cannot log in there. I’ve changed passsword and logged into that account only to find that wordpress is showing me another identity form another connection that was disabled for this application (let’s say [email protected]).

In Auth0 dashboard, in logs section I’ve found that [email protected] was logging to my new wordpress. In Auth0 dashboard users section I’ve also had [email protected] at the top of the list but when I’ve clicked I saw the [email protected] identity and in [email protected] account History section I saw logs indicating that this account logged to my new wp site too. The get_user and login migration scripts were returning the identity for [email protected]
- This topic was modified 7 years, 1 month ago by mmki.

Viewing 11 replies - 1 through 11 (of 11 total)

Josh C
(@auth0josh)

7 years, 1 month ago

@mmki – You’re on a roll! I appreciate your detailed reports and keeping these in separate threads.

This is more of a limitation of the plugin than the Auth0 platform as a whole. It’s true that the get user route does not handle users with the same user ID well but that’s what the list/search user endpoint is for:

https://auth0.com/docs/api/management/v2#!/Users/get_users

You can search for users by ID and connection that way.

The problem here, though, is that saving a connection ID/name in WordPress to use when searching for users means you would have to keep it up to date with the Auth0 dashboard. That’s a big “gotcha” if connections get shuffled around for any reason.

That said, I think we need to change how user information is gathered for sites that are using migration. Specifically, we’ll need to skip the Management API and use the data we get back from login.

The best way to address this on your sites now it to make the same change as I mentioned in the Wordfence notification emails thread. If you turn on “Implicit login flow” on the Advanced tab, you’ll get the basic user data from the ID token returned from Auth0 instead of from the Management API (happy to get into more technical details if it would help). This will ensure that the data you’re getting matches the user that logged in.

I’ll work on a solution here in a release soon. Thank you again for bringing this limitation to our attention.

Thread Starter mmki
(@mmki)

7 years, 1 month ago

@auth0josh – I’m glad that you are working to solve this problem.

Please note that this error is affecting Auth0 dashboard too. I’m seeing correct account on the users list but it is linking to wrong identity.
Thread Starter mmki
(@mmki)

7 years, 1 month ago
Two more things
1) I’ve turned on Implict Login Flow on a WordPress site that is configured as Auth0 application that allows Auth0’s database connection with database migration. I’ve logged in to that site with an email that is used in two databases connections with migration. With implict login flow I saw the right email in my user’s profile but when i checked on Auth0 dashboard I saw that the latest login was from the second database connection linked to that email but that database connection wasn’t allowed for my application.
EDITED: I’ve chcecked auth0 dashboard logs too and in logs it states that it was the right account – so only the users list is corrupted.

2) In Auth0 dashboard if I search by by email I only see an an account once although it is in two databases.
- This reply was modified 7 years, 1 month ago by mmki.
Josh C
(@auth0josh)

7 years, 1 month ago

Please note that this error is affecting Auth0 dashboard too. I’m seeing correct account on the users list but it is linking to wrong identity.

I’m not sure I totally understand. Can you give me a little more detail here?

With implict login flow I saw the right email in my user’s profile but when i checked on Auth0 dashboard I saw that the latest login was from the second database connection linked to that email but that database connection wasn’t allowed for my application.

Are you sure you’re looking in the right place? It’s pretty unlikely that the core Auth0 product is handling this incorrectly without a massive flood of support tickets. I only say that because I have not seen this behavior while testing. If you can give me reproduction steps here, I’d be happy to take a look.

In Auth0 dashboard if I search by by email I only see an an account once although it is in two databases.

I’m not seeing that behavior on my end:

https://www.dropbox.com/s/8y6rdqwyuewf97z/Screen%20Shot%202019-04-23%20at%2010.25.39%20AM.png?dl=0
Thread Starter mmki
(@mmki)

7 years, 1 month ago
I’m not sure I totally understand. Can you give me a little more detail here?

I have these two accounts, that were mixed in wordpress:

– [email protected]
```
[
  {
    "email": "[email protected]",
    "email_verified": true,
    "nickname": "spam",
    "name": "[email protected]",
    "user_id": "auth0|2599",
    ...
    "identities": [
      {
        "user_id": "2599",
        "provider": "auth0",
        "connection": "CONNECTION_1",
        "isSocial": false
      }
    ],
    ...
    "logins_count": 6
  }
]
```
– [email protected]
```
[
  {
    "email": "[email protected]",
    "email_verified": false,
    "nickname": "foo",
    "name": "[email protected]",
    "user_id": "auth0|2599",
    ...
    "identities": [
      {
        "user_id": "2599",
        "provider": "auth0",
        "connection": "CONNECTION_2",
        "isSocial": false
      },
      {
        "profileData": {
          "email": "[email protected]",
          "email_verified": true,
          "nickname": "foo"
        },
        "user_id": "2611",
        "provider": "auth0",
        "connection": "CONNECTION_1",
        "isSocial": false
      }
    ],
    ...
    "logins_count": 28
  }
]
```
I go to https://manage.auth0.com/ > Users&Roles > Users
I click on [email protected] but I get [email protected]
- This reply was modified 7 years, 1 month ago by mmki.
Thread Starter mmki
(@mmki)

7 years, 1 month ago

Are you sure you’re looking in the right place? It’s pretty unlikely that the core Auth0 product is handling this incorrectly without a massive flood of support tickets. I only say that because I have not seen this behavior while testing. If you can give me reproduction steps here, I’d be happy to take a look.

After I wrote this message I found that this was only wrong display on Users list (https://manage.auth0.com/ > Users&Roles > Users)

I have [email protected] in CONNECTION_1 and CONNECTION_2.
Users list shows accounts ordered by Latest login.
I’ve turn on implict login flow and log in to my site. It was configured in such a way that I expected foo@bar with CONNECTION_1.
I’ve checked latest login on users list and I saw foo@bar from CONNECTION_2 (wrong).
I’ve checked logs (https://manage.auth0.com/ > Logs) and I saw foo@bar from CONNECTION_1 (correct).

According to the logs it is only display error on users list.
Thread Starter mmki
(@mmki)

7 years, 1 month ago
I’m not seeing that behavior on my end:

Check the response from the API above for [email protected].

I would expect to get both [[email protected] & CONNECTION_1] and [[email protected] & CONNECTION_2]. Am I right or maybe that is correct behavior? I get:

identities.connection:"CONNECTION_1"
[foo@bar & CONNECTION_2]
…

email:"[email protected]"
[foo@bar & CONNECTION_2]

I would expect [foo@bar & CONNECTION_1] for this one:

identities.connection:"CONNECTION_1" AND email:"foo@bar"
[foo@bar & CONNECTION_2]
- This reply was modified 7 years, 1 month ago by mmki.
Josh C
(@auth0josh)

7 years, 1 month ago
If you just get a single user from that endpoint, you get whatever the API finds for the “first” user with that ID. That’s not ideal behavior from the API but unlikely to be changed anytime soon. I will definitely pass along the feedback, though.

I’ll be fixing the plugin to avoid this issue but, if you’re working with the API and want to make sure you’re getting the right user, you want to search for a user with the connection you want using this endpoint:

https://auth0.com/docs/api/management/v2#!/Users/get_users

… with something like this for the q parameter:
```
identities.connection:"CONNECTION_1" AND email:"[email protected]"
```
If you have Implicit flow turned on, you’re only getting data from the ID token, which does not include connection information. You’ll get a sub (Auth0 user ID) and that should match the one in Auth0. If you’ve got 2 users in Auth0 with the same email address and the same Auth0 user ID, it will be difficult to tell which one is coming through. In fact, your WordPress site can’t really know the difference (though it shouldn’t have to since there can’t be two users with the same email address).

Also, if you’re now linking identities between users on two sites with custom databases, the complexity factor here goes through the roof, I’m not even sure how that could possibly be handled correctly.
Thread Starter mmki
(@mmki)

7 years ago

Thanks for the informations.

I’ll be fixing the plugin to avoid this issue

That’s great to hear.

Will someone fix the users list at Auth0 dasboard too?

Josh C
(@auth0josh)

7 years ago

Will someone fix the users list at Auth0 dashboard too?

I’m not clear on what needs to be changed there. The overlapping user IDs will cause issues anywhere that a user ID is used but the dashboard does not use that to get users (except when you link in the URL, as the plugin does).

The issue with these overlapping user IDs is known and, since it’s caused by a user-provided script (in this case, plugin-provided), there isn’t anything currently planned to address it. The fix for the plugin will be to namespace these user IDs for new sites as suggested here:

https://auth0.com/docs/users/normalized/auth0/identify-users

That won’t solve your current issue, though, as the users already have overlapping user IDs. We have a few options to correct this once we have the new database script ready:

– If you don’t have any user data stored that needs to be kept (if you’re only using the connection to support login and not storing any metadata or anything else), you can delete the connection with all the users, create a new one with the new script, and restart the migration. Since you’re using WordPress to authenticate, this shouldn’t have any negative effects on the user experience at all.
– If you do have data in Auth0 that needs to be kept, you can use our import/export extension to export the users, search/replace to update the user ID, then re-import. This has the advantage of being able to test on a new database connection first before you switch over. Happy to help with this process so we can document it for anyone else that might need to.
– If you have a paid account, you can contact our support team to run a database update script to change the user IDs to a namespaced version.

Again, these options will need to happen after we have a new version of the database script ready (early next week).

Thanks for your patience with this!

Josh C
(@auth0josh)

6 years, 11 months ago

This has been fixed in version 3.11.0. There are also detailed instructions on fixing existing Connections with overlapping user IDs here:

https://auth0.com/docs/cms/wordpress/user-migration#cannot-change-email-or-incorrect-user-data

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Important error – mixing identities’ is closed to new replies.