Can a social IDP user become an email+password user?

We have a certain social identity provider that we would like to phase out for our CIAM users. The most straightforward way I can think of would be to change our end-user facing login screen to take them to a new screen where we explain the situation and prompt users who click on this social IDP to add a password to their account. I’m wondering if this is possible and what API calls need to be made to move the user to the right state?

I found this support article Problem: Password reset does not work with users created via social logins (Google, Facebook, etc.) which makes it clear the basic reset password flow is not suitable.

I’ve looked a little bit at the Identity Provider User Operations API, including the ability to list and unlink an IDP associated with a given user DELETE /api/v1/idps/${idpId}/users/${userId}. Is that the path to follow?

Hi @PatrickM. Unlinking the user as you stated would be necessary. Following the unlinking, you may want to trigger a password reset for that user account to ensure the now Okta-sourced account has credentials associated with it. You would also need to ensure that the account link policy does not automatically re-link accounts, should they attempt to sign in with the IdP again after stepping through this process.

1 Like