How to let users unlink social media login

I am wondering if its possible to unlink social media accounts such as discord or Google? for users?

1 Like

I need an answer for this too.

What’s the end goal for the user? You can always add an “update the user’s credentials” workflow to change their information if they want it different from their social media account login.

Imagine a user was created with email login. Then the user links Facebook to his account, so he can login both through email and Facebook. Now imagine I want to unlink that Facebook profile from his account and get back to email-only. How to do that?

Interesting case scenario. Depending on the social media account (Facebook has this) you will have to help navigate the user to their Facebook settings and see what apps they’re connected through in order to disassociate it with yours. The best move within Bubble would be to create a workflow that lets the user change their credentials.

Does changing the credentials remove all linked social auth providers automatically? The “Update the user’s credentials” action doesn’t have any checkbox to unlink social auth providers.

Also, guiding the user to manually remove the app from his Facebook account is pretty impracticable.

image

I can’t think of anyway you can “unlink” a social media account without either completely deleting the account or “dissociating” the app from the Facebook itself. As far as I know you can only change their credentials.

That’s unfortunate. Bubble could probably expose some way to unlink even if manually by modifying a User.

Just imagine if someone logs in with email and leave the session open. Then someone else logs in with Facebook. Now the both individuals will use the same account. Probably would need to delete the User and ask them to create new accounts. One of the worst user experiences one could ever have.

I’ve thought about this before in terms of privacy and security, and your best best is going to be to log users out after “inactivity” time that you’ll have to setup. Think of it as similar to any mobile banking apps that kick you off to secure your authentification.

Hey wondering if there are any developments here as far as unlinking an LinkedIn account without deleting the user. The primary login for us is to login with a email/password however we use linkedIn for verification purposes. If a user was to create a different account we would potentially want to unlink one account so as they can link another. Bubble does not allow more than one account to be linked

Bumping

All the user has to do is revoke permission for the app. This is a basic feature of Oauth.

(Phrased another way: There’s no issue here.)

1 Like

Hi @keith - this is actually still an issue. If you accidentally link a social login to a Bubble app, there is no way to unlink it, at all. In this scenario:

  1. Log into Bubble
  2. Link Social Network
  3. Log out of Bubble
  4. Revoke OAuth token in Social Network
  5. Log into Bubble using Social Network (re-consenting)

Expected result:

  • Unable to log in, or new account created.

Actual result:

  • Successful login with social network into existing account.

Hi @keith I made a button for users to unlink google account, but I don’t see any “revoke permission” choice in the workflows?

Hey all,

Typically if you just use the “Send Reset Password Email” option and the user resets their email it “unlinks” a user’s social login. This is the case on Bubble’s website too.

1 Like

This is still definitely 100% still an issue.

The user should not have to change their email or reset their password to unlink a social account.

2 Likes

They go to their social account on the corresponding social platform and revoke the permissions there.

A bubble app can only request permission. It doesn’t grant or revoke the permissions for the user.

1 Like

I’m aware of that. However, there is no reason why I shouldn’t be able to limit my users permissions. Yes, I could build out some separate boolean data-type (eg. “has_access: true”) and then restrict the users ability to make api calls based on that. But I I could simply clear the oauth data (aka set to null) then that would do the job much more simply.

You limit their permissions by changing scopes

Not quite sure I understand your struggle. Can you give more context or an example story of your struggle to better highlight what you are trying h to accomplish.

Like what do you expect to happen vs what is really happening or where you hit a roadblock.

It also sounds like: you don’t want to delete a user, but after they’ve signed up and linked their account, you’d like to revoke that link at some point in the future?

Exactly. My use case is that I am not using their authentication for account creation, but rather in a post account creation step.

Example: user creates account with email. Then after they log in they can link their Twitter account (for example) so that my app can post tweets on their behalf. I’d like to be able to set up something like what pathfix offers

Notice the option for the user to disconnect.

Anyway, I’m doing the whole self-managed token dance and the moment and I suppose I could just pay an provider like pathfix to manage the tokens for me so I can interact with them as needed. However, ideally this would be native to bubble.

The fix for bubble would be as such, same as I can edit the value of my key:value pair for a users name. I would like to be able to at least clear the value for their Authentication with a certain provider.