OAuth2 authentication and account linking #12

Closed
opened 2026-06-12 20:27:30 +00:00 by james · 0 comments
Owner

Scope

  • OAuth2 sign-in via Auth.js (NextAuth). At least one provider configured by default; the provider list is env-driven so self-hosters can pick their own.
  • Data model: a User row can have any of: a local-identity row, one or more OAuth-identity rows, or both.
  • Account linking is explicit. When signed in as a local user, the user can attach an OAuth2 identity. When signed in as an OAuth2 user, they can attach a local password. Do not auto-merge by email.
  • Unlinking is allowed as long as the user retains some way to sign in.

Acceptance criteria

  • A user can sign in with either identity type and reach the same account.
  • Linking and unlinking flows work from both directions.
  • Tests cover: OAuth sign-in for a new user, OAuth sign-in for a linked user, link/unlink success and failure cases.

Part of epic #1. Depends on #11.

## Scope - OAuth2 sign-in via Auth.js (NextAuth). At least one provider configured by default; the provider list is env-driven so self-hosters can pick their own. - Data model: a `User` row can have any of: a local-identity row, one or more OAuth-identity rows, or both. - **Account linking is explicit.** When signed in as a local user, the user can attach an OAuth2 identity. When signed in as an OAuth2 user, they can attach a local password. **Do not auto-merge by email.** - Unlinking is allowed as long as the user retains some way to sign in. ## Acceptance criteria - [ ] A user can sign in with either identity type and reach the same account. - [ ] Linking and unlinking flows work from both directions. - [ ] Tests cover: OAuth sign-in for a new user, OAuth sign-in for a linked user, link/unlink success and failure cases. Part of epic #1. Depends on #11.
james closed this issue 2026-06-17 15:02:35 +00:00
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
james/carol#12
No description provided.