Planning for 1.0: Support multiple providers per user

[pilcrowonpaper]

Summary

Users can now have multiple providers. Users must have at least one provider and the provider added on user creation cannot be removed.

core

// params order, shape not final
await auth.createUser(attributes, {
  name,
  identifier,
  password
});
await auth.addProvider(userId, {
  provider,
  identifier,
  password
});
await auth.removeProvider(userId, provider);
await auth.getUserProviders(userId);

OAuth

const { linkProvider } = await providerAuth.validateCallback(code);
await linkProvider(userId);

Concepts

Users can have more than one providers. To prevent users from being locked out of their account, and to act as a safe guard, Lucia will not allow the provider used on user creation to be removed ("unlinked"). Such providers will have a og flag (name no final). Providers can also have passwords (optional), same as how users have right now.

With this, the user table will only required the user_id column and nothing else.

APIs

Creating user

createUser() will create both a new user and provider. Something that I'm not sure is if the parameter for createUser() should be a large single object or if it should be split into 2. For now, I have it split since one is for the user specifically and one is for provider specifically. Since we're creating a user, and then a provider, the order should be user attributes => provider options.

The provider used will be have a og flag.

await auth.createUser(attributes, {
  name,
  identifier,
  password
});

Adding providers

Passwords are now held by provider.

await auth.addProvider(userId, {
  provider,
  identifier,
  password
});

Removing providers

Providers can be removed using the provider's name. Providers with the og flag cannot be removed.

await auth.removeProvider(userId, provider);

Linking providers via the OAuth package

validateCallback() will return a new function linkProvider(), a wrapper around auth.addProvider().

const { linkProvider } = await providerAuth.validateCallback(code);
await linkProvider(userId);

Database model

user

name	type	unique
id	string	true

provider

Unlike user, custom data cannot be stored.

name	type	reference	unique	pattern
id	string		true	[provider_name]:[identifier]
user_id	string	user(id)	true
og	boolean

Migration

A migration script or guide (with db commands) to move user(provider_id) to provider(id) will be provided.

[v-rogg]

I believe the support of multiple providers is necessary for a v1.0. At first glance, your proposal looks similar to auth.js's user/account separation, which, in my eyes, makes sense.

[kesdigital]

I agree with this, having multiple providers per user is a great idea. I have a suggestion, how about adding a unique email field to the user, that way there is a way to identify a user when they sign in with a different provider. An example is if I signup with an email and password, then later log in with Google or GitHub OAuth, there is still that unique, universal email that identifies me as an existing user no matter the method I use to sign up.

[pilcrowonpaper]

You can add any attributes to the user right now
https://lucia-auth.vercel.app/learn/basics/store-user-attributes