Exclude identity conflicts of the same account #4497

ref DEV-1632

Author: tung2744

e2e/tests/account_linking/dev-1632.test.yaml

@@ -0,0 +1,100 @@
+# https://linear.app/authgear/issue/DEV-1632/incorrectly-enter-account-linking-when-creating-two-identity-in-a-row
+name: Account linking - Incoming OAuth - DEV-1632
+authgear.yaml:
+  override: |
+    authentication:
+      identities:
+        - login_id
+        - oauth
+    identity:
+      oauth:
+        providers:
+          - alias: google
+            client_id: "google"
+            type: google
+    account_linking:
+      oauth:
+        - alias: google
+          action: login_and_link
+          oauth_claim:
+            pointer: "/email"
+          user_profile:
+            pointer: "/email"
+    authentication_flow:
+      signup_flows:
+        - name: f1
+          steps:
+            - type: identify
+              one_of:
+              - identification: oauth
+                steps:
+                - type: identify
+                  one_of:
+                  - identification: email
+steps:
+  - action: "create"
+    input: |
+      {
+        "type": "signup",
+        "name": "f1"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "oauth",
+        "alias": "google",
+        "redirect_uri": "http://mock"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify",
+            "data": {
+              "oauth_authorization_url": "[[string]]"
+            }
+          }
+        }
+  - action: oauth_redirect
+    to: "{{ .prev.result.action.data.oauth_authorization_url }}"
+    redirect_uri: http://mock
+    output:
+      result: |
+        {
+          "query": "[[string]]"
+        }
+
+  - action: input
+    input: |
+      {
+        "query": "{{ .prev.result.query }}"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "identify"
+          }
+        }
+
+  - action: input
+    input: |
+      {
+        "identification": "email",
+        "login_id": "mock@example.com"
+      }
+    output:
+      result: |
+        {
+          "action": {
+            "type": "finished"
+          }
+        }

pkg/lib/authenticationflow/declarative/intent_check_conflict_and_create_identity.go

@@ -88,9 +88,9 @@ func (i *IntentCheckConflictAndCreateIdenity) checkConflictByAccountLinkings(
 	flows authflow.Flows) (conflicts []*AccountLinkingConflict, err error) {
 	switch i.Request.Type {
 	case model.IdentityTypeOAuth:
-		return linkByIncomingOAuthSpec(ctx, deps, flows, i.Request.OAuth, i.JSONPointer)
+		return linkByIncomingOAuthSpec(ctx, deps, flows, i.UserID, i.Request.OAuth, i.JSONPointer)
 	case model.IdentityTypeLoginID:
-		return linkByIncomingLoginIDSpec(ctx, deps, flows, i.Request.LoginID, i.JSONPointer)
+		return linkByIncomingLoginIDSpec(ctx, deps, flows, i.UserID, i.Request.LoginID, i.JSONPointer)
 	default:
 		// Linking of other types are not supported at the moment
 		return nil, nil

pkg/lib/authenticationflow/declarative/intent_promote_identity_login_id.go

@@ -166,7 +166,7 @@ func (n *IntentPromoteIdentityLoginID) checkConflictByAccountLinkings(
 	spec *identity.Spec) (conflicts []*AccountLinkingConflict, err error) {
 	switch spec.Type {
 	case model.IdentityTypeLoginID:
-		return linkByIncomingLoginIDSpec(ctx, deps, flows, NewCreateLoginIDIdentityRequest(spec).LoginID, n.JSONPointer)
+		return linkByIncomingLoginIDSpec(ctx, deps, flows, n.UserID, NewCreateLoginIDIdentityRequest(spec).LoginID, n.JSONPointer)
 	default:
 		panic("unexpected spec type")
 	}

pkg/lib/authenticationflow/declarative/node_promote_identity_oauth.go

@@ -129,7 +129,7 @@ func (n *NodePromoteIdentityOAuth) checkConflictByAccountLinkings(
 	spec *identity.Spec) (conflicts []*AccountLinkingConflict, err error) {
 	switch spec.Type {
 	case model.IdentityTypeOAuth:
-		return linkByIncomingOAuthSpec(ctx, deps, flows, NewCreateOAuthIdentityRequest(n.Alias, spec).OAuth, n.JSONPointer)
+		return linkByIncomingOAuthSpec(ctx, deps, flows, n.UserID, NewCreateOAuthIdentityRequest(n.Alias, spec).OAuth, n.JSONPointer)
 	default:
 		panic("unexpected spec type")
 	}

pkg/lib/authenticationflow/declarative/utils_account_linking.go

@@ -139,6 +139,7 @@ func linkByIncomingOAuthSpec(
 	ctx context.Context,
 	deps *authflow.Dependencies,
 	flows authflow.Flows,
+	userID string,
 	request *CreateIdentityRequestOAuth,
 	identificationJSONPointer jsonpointer.T,
 ) (conflicts []*AccountLinkingConflict, err error) {
@@ -191,6 +192,12 @@ func linkByIncomingOAuthSpec(
 
 		for _, iden := range idenConflicts {
 			iden := iden
+
+			// Exclude identities that actually belong to this user.
+			if iden.UserID == userID {
+				continue
+			}
+
 			// Exclude duplicates
 			if _, exist := conflictedIdentityIDs[iden.ID]; exist {
 				continue
@@ -227,6 +234,7 @@ func linkByIncomingLoginIDSpec(
 	ctx context.Context,
 	deps *authflow.Dependencies,
 	flows authflow.Flows,
+	userID string,
 	request *CreateIdentityRequestLoginID,
 	identificationJSONPointer jsonpointer.T,
 ) (conflicts []*AccountLinkingConflict, err error) {
@@ -271,6 +279,12 @@ func linkByIncomingLoginIDSpec(
 
 		for _, iden := range idenConflicts {
 			iden := iden
+
+			// Exclude identities that actually belong to this user.
+			if iden.UserID == userID {
+				continue
+			}
+
 			// Exclude duplicates
 			if _, exist := conflictedIdentityIDs[iden.ID]; exist {
 				continue