Title: Important error – mixing identities Last modified: April 19, 2019 --- # Important error – mixing identities * Resolved [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/) * Hi [@auth0josh](https://wordpress.org/support/users/auth0josh/), * I’ve found this error using Login by Auth0 wordpress plugin but I can recreate it with Auth0 API. * Using Auth0 API I can get user by id, the problem is, that the same id is used among different database connections but getting the user by id I don’t specify which connection I want to use therefore I can get wrong identity. * For example: * I have one email address and I use it to create accounts in different database connections (one email address has many identities). * Using the API /api/v2/users-by-email I pass ‘foo@bar.com’ and I get something like this: * ``` [ { "username": "foo_1", "email": "foo@bar.com", "user_id": "auth0|1", ... "identities": [ { "user_id": "1", "provider": "auth0", "connection": "CONNECTION_1", "isSocial": false } ], ... }, { "nickname": "foo_2", "email": "foo@bar.com", "user_id": "auth0|1" ... "identities": [ { "user_id": "1", "provider": "auth0", "connection": "CONNECTION_2", "isSocial": false } ], ... }, { "email": "foo@bar.com", "name": "foo_3", "user_id": "auth0|1", ... "identities": [ { "user_id": "1", "provider": "auth0", "connection": "CONNECTION_3", "isSocial": false } ], ... } ] ``` * Then I run GET `/api/v2/users/{id}` and pass auth0|1 and get one of the three identities. I don’t have to specify which connection to use: * ``` { "nickname": "foo_2", "email": "foo@bar.com", "user_id": "auth0|1", ... "identities": [ { "user_id": "1", "provider": "auth0", "connection": "CONNECTION_2", "isSocial": false } ], ... } ``` * This error affected my wordpress sites too. Recently I’ve set up new wordpress installation with Auth0 plugin. I’ve registered new user account there (let’s say [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md)) and I’ve found that I cannot log in there. I’ve changed passsword and logged into that account only to find that wordpress is showing me another identity form another connection that was disabled for this application (let’s say [spam@eggs.com](https://wordpress.org/support/topic/important-error-mixing-identities/spam@eggs.com?output_format=md)). * In Auth0 dashboard, in logs section I’ve found that [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) was logging to my new wordpress. In Auth0 dashboard users section I’ve also had [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) at the top of the list but when I’ve clicked I saw the [spam@eggs.com](https://wordpress.org/support/topic/important-error-mixing-identities/spam@eggs.com?output_format=md) identity and in [spam@eggs.com](https://wordpress.org/support/topic/important-error-mixing-identities/spam@eggs.com?output_format=md) account History section I saw logs indicating that this account logged to my new wp site too. The get_user and login migration scripts were returning the identity for [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) - This topic was modified 7 years, 1 month ago by [mmki](https://wordpress.org/support/users/mmki/). Viewing 11 replies - 1 through 11 (of 11 total) * [Josh C](https://wordpress.org/support/users/auth0josh/) * (@auth0josh) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11448771) * [@mmki](https://wordpress.org/support/users/mmki/) – You’re on a roll! I appreciate your detailed reports and keeping these in separate threads. * This is more of a limitation of the plugin than the Auth0 platform as a whole. It’s true that the get user route does not handle users with the same user ID well but that’s what the list/search user endpoint is for: * [https://auth0.com/docs/api/management/v2#!/Users/get_users](https://auth0.com/docs/api/management/v2#!/Users/get_users) * You can search for users by ID and connection that way. * The problem here, though, is that saving a connection ID/name in WordPress to use when searching for users means you would have to keep it up to date with the Auth0 dashboard. That’s a big “gotcha” if connections get shuffled around for any reason. * That said, I think we need to change how user information is gathered for sites that are using migration. Specifically, we’ll need to skip the Management API and use the data we get back from login. * The best way to address this on your sites now it to make the same change as I mentioned in the Wordfence notification emails thread. If you turn on “Implicit login flow” on the Advanced tab, you’ll get the basic user data from the ID token returned from Auth0 instead of from the Management API (happy to get into more technical details if it would help). This will ensure that the data you’re getting matches the user that logged in. * I’ll work on a solution here in a release soon. Thank you again for bringing this limitation to our attention. * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11457673) * [@auth0josh](https://wordpress.org/support/users/auth0josh/) – I’m glad that you are working to solve this problem. * Please note that this error is affecting Auth0 dashboard too. I’m seeing correct account on the users list but it is linking to wrong identity. * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11458155) * Two more things 1) I’ve turned on Implict Login Flow on a WordPress site that is configured as Auth0 application that allows Auth0’s database connection with database migration. I’ve logged in to that site with an email that is used in two databases connections with migration. With implict login flow I saw the right email in my user’s profile but when i checked on Auth0 dashboard I saw that the latest login was from the second database connection linked to that email but that database connection wasn’t allowed for my application. EDITED: I’ve chcecked auth0 dashboard logs too and in logs it states that it was the right account – so only the users list is corrupted. * 2) In Auth0 dashboard if I search by by email I only see an an account once although it is in two databases. - This reply was modified 7 years, 1 month ago by [mmki](https://wordpress.org/support/users/mmki/). * [Josh C](https://wordpress.org/support/users/auth0josh/) * (@auth0josh) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11459528) * > Please note that this error is affecting Auth0 dashboard too. I’m seeing correct > account on the users list but it is linking to wrong identity. * I’m not sure I totally understand. Can you give me a little more detail here? * > With implict login flow I saw the right email in my user’s profile but when > i checked on Auth0 dashboard I saw that the latest login was from the second > database connection linked to that email but that database connection wasn’t > allowed for my application. * Are you sure you’re looking in the right place? It’s pretty unlikely that the core Auth0 product is handling this incorrectly without a massive flood of support tickets. I only say that because I have not seen this behavior while testing. If you can give me reproduction steps here, I’d be happy to take a look. * > In Auth0 dashboard if I search by by email I only see an an account once although > it is in two databases. * I’m not seeing that behavior on my end: * [https://www.dropbox.com/s/8y6rdqwyuewf97z/Screen%20Shot%202019-04-23%20at%2010.25.39%20AM.png?dl=0](https://www.dropbox.com/s/8y6rdqwyuewf97z/Screen%20Shot%202019-04-23%20at%2010.25.39%20AM.png?dl=0) * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11461181) * > I’m not sure I totally understand. Can you give me a little more detail here? * I have these two accounts, that were mixed in wordpress: * – [spam@eggs.com](https://wordpress.org/support/topic/important-error-mixing-identities/spam@eggs.com?output_format=md) * ``` [ { "email": "spam@eggs.com", "email_verified": true, "nickname": "spam", "name": "spam@eggs.com", "user_id": "auth0|2599", ... "identities": [ { "user_id": "2599", "provider": "auth0", "connection": "CONNECTION_1", "isSocial": false } ], ... "logins_count": 6 } ] ``` * – [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) * ``` [ { "email": "foo@bar.com", "email_verified": false, "nickname": "foo", "name": "foo@bar.com", "user_id": "auth0|2599", ... "identities": [ { "user_id": "2599", "provider": "auth0", "connection": "CONNECTION_2", "isSocial": false }, { "profileData": { "email": "foo@bar.com", "email_verified": true, "nickname": "foo" }, "user_id": "2611", "provider": "auth0", "connection": "CONNECTION_1", "isSocial": false } ], ... "logins_count": 28 } ] ``` * I go to [https://manage.auth0.com/](https://manage.auth0.com/) > Users&Roles > Users I click on [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) but I get [spam@eggs.com](https://wordpress.org/support/topic/important-error-mixing-identities/spam@eggs.com?output_format=md) - This reply was modified 7 years, 1 month ago by [mmki](https://wordpress.org/support/users/mmki/). * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11461228) * > Are you sure you’re looking in the right place? It’s pretty unlikely that the > core Auth0 product is handling this incorrectly without a massive flood of > support tickets. I only say that because I have not seen this behavior while > testing. If you can give me reproduction steps here, I’d be happy to take a > look. * After I wrote this message I found that this was only wrong display on Users list ([https://manage.auth0.com/](https://manage.auth0.com/) > Users&Roles > Users) * I have [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md) in CONNECTION_1 and CONNECTION_2. Users list shows accounts ordered by Latest login. I’ve turn on implict login flow and log in to my site. It was configured in such a way that I expected foo@bar with CONNECTION_1. I’ve checked latest login on users list and I saw foo@bar from CONNECTION_2 (wrong). I’ve checked logs ([https://manage.auth0.com/](https://manage.auth0.com/) > Logs) and I saw foo@bar from CONNECTION_1 (correct). * According to the logs it is only display error on users list. * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11461292) * > I’m not seeing that behavior on my end: * Check the response from the API above for [foo@bar.com](https://wordpress.org/support/topic/important-error-mixing-identities/foo@bar.com?output_format=md). * I would expect to get both [foo@bar.com & CONNECTION_1] and [foo@bar.com & CONNECTION_2]. Am I right or maybe that is correct behavior? I get: * `identities.connection:"CONNECTION_1"` [foo@bar & CONNECTION_2] … * `email:"foo@bar.com"` [foo@bar & CONNECTION_2] * I would expect [foo@bar & CONNECTION_1] for this one: * `identities.connection:"CONNECTION_1" AND email:"foo@bar"` [foo@bar & CONNECTION_2] - This reply was modified 7 years, 1 month ago by [mmki](https://wordpress.org/support/users/mmki/). * [Josh C](https://wordpress.org/support/users/auth0josh/) * (@auth0josh) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11468067) * If you just get a single user from that endpoint, you get whatever the API finds for the “first” user with that ID. That’s not ideal behavior from the API but unlikely to be changed anytime soon. I will definitely pass along the feedback, though. * I’ll be fixing the plugin to avoid this issue but, if you’re working with the API and want to make sure you’re getting the right user, you want to search for a user with the connection you want using this endpoint: * [https://auth0.com/docs/api/management/v2#!/Users/get_users](https://auth0.com/docs/api/management/v2#!/Users/get_users) * … with something like this for the `q` parameter: * ``` identities.connection:"CONNECTION_1" AND email:"foo@bar.com" ``` * If you have Implicit flow turned on, you’re only getting data from the ID token, which does not include connection information. You’ll get a `sub` (Auth0 user ID) and that should match the one in Auth0. If you’ve got 2 users in Auth0 with the same email address and the same Auth0 user ID, it will be difficult to tell which one is coming through. In fact, your WordPress site can’t really know the difference (though it shouldn’t have to since there can’t be two users with the same email address). * Also, if you’re now linking identities between users on two sites with custom databases, the complexity factor here goes through the roof, I’m not even sure how that could possibly be handled correctly. * Thread Starter [mmki](https://wordpress.org/support/users/mmki/) * (@mmki) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11488740) * Thanks for the informations. * > I’ll be fixing the plugin to avoid this issue * That’s great to hear. * Will someone fix the users list at Auth0 dasboard too? * [Josh C](https://wordpress.org/support/users/auth0josh/) * (@auth0josh) * [7 years, 1 month ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11489669) * > Will someone fix the users list at Auth0 dashboard too? * I’m not clear on what needs to be changed there. The overlapping user IDs will cause issues anywhere that a user ID is used but the dashboard does not use that to get users (except when you link in the URL, as the plugin does). * The issue with these overlapping user IDs is known and, since it’s caused by a user-provided script (in this case, plugin-provided), there isn’t anything currently planned to address it. The fix for the plugin will be to namespace these user IDs for new sites as suggested here: * [https://auth0.com/docs/users/normalized/auth0/identify-users](https://auth0.com/docs/users/normalized/auth0/identify-users) * That won’t solve your current issue, though, as the users already have overlapping user IDs. We have a few options to correct this once we have the new database script ready: * – If you don’t have any user data stored that needs to be kept (if you’re only using the connection to support login and not storing any metadata or anything else), you can delete the connection with all the users, create a new one with the new script, and restart the migration. Since you’re using WordPress to authenticate, this shouldn’t have any negative effects on the user experience at all. – If you do have data in Auth0 that needs to be kept, you can use our import/export extension to export the users, search/replace to update the user ID, then re- import. This has the advantage of being able to test on a new database connection first before you switch over. Happy to help with this process so we can document it for anyone else that might need to. – If you have a paid account, you can contact our support team to run a database update script to change the user IDs to a namespaced version. * Again, these options will need to happen after we have a new version of the database script ready (early next week). * Thanks for your patience with this! * [Josh C](https://wordpress.org/support/users/auth0josh/) * (@auth0josh) * [7 years ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11616274) * This has been fixed in version [3.11.0](https://github.com/auth0/wp-auth0/releases/tag/3.11.0). There are also detailed instructions on fixing existing Connections with overlapping user IDs here: * [https://auth0.com/docs/cms/wordpress/user-migration#cannot-change-email-or-incorrect-user-data](https://auth0.com/docs/cms/wordpress/user-migration#cannot-change-email-or-incorrect-user-data) Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Important error – mixing identities’ is closed to new replies. * ![](https://ps.w.org/auth0/assets/icon-256x256.png?rev=3351758) * [Login by Auth0](https://wordpress.org/plugins/auth0/) * [Frequently Asked Questions](https://wordpress.org/plugins/auth0/#faq) * [Support Threads](https://wordpress.org/support/plugin/auth0/) * [Active Topics](https://wordpress.org/support/plugin/auth0/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/auth0/unresolved/) * [Reviews](https://wordpress.org/support/plugin/auth0/reviews/) * 11 replies * 2 participants * Last reply from: [Josh C](https://wordpress.org/support/users/auth0josh/) * Last activity: [7 years ago](https://wordpress.org/support/topic/important-error-mixing-identities/#post-11616274) * Status: resolved