Skip to content

feat(token): support link_identity in the access_token grant#2614

Open
spydon wants to merge 1 commit into
feat/facebook-access-token-grantfrom
feat/facebook-access-token-grant-link-identity
Open

feat(token): support link_identity in the access_token grant#2614
spydon wants to merge 1 commit into
feat/facebook-access-token-grantfrom
feat/facebook-access-token-grant-link-identity

Conversation

@spydon

@spydon spydon commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What

Adds link_identity support to the access_token grant, so an already-authenticated user can attach a provider identity (Facebook) to their existing account using a provider access token, instead of signing in or creating a new account.

POST /token?grant_type=access_token
Authorization: Bearer <current user session>
{ "provider": "facebook", "access_token": "<facebook access token>", "link_identity": true }

Why

Parity with the id_token grant, which already supports link_identity. This lets a user who signed in another way (email, another provider) connect their Facebook account when native login only yields a classic access token (the case #2609 exists for).

How

Mirrors the id_token grant exactly:

  • When link_identity is set, require a valid user access token in the Authorization header (requireAuthentication), resolve the target user, and set it on the context.
  • In the transaction, branch to linkIdentityToUser instead of createAccountFromExternalIdentity.

Tests

  • TestAccessTokenGrantLinkIdentity: links Facebook to an existing signed-in user, asserts the same user is returned and the facebook identity is attached.
  • TestAccessTokenGrantLinkIdentityRequiresAuth: linking without an Authorization header is rejected.

Stacking

Stacked on #2609 (base branch feat/facebook-access-token-grant). Review/merge that one first; this diff is only the linking addition.

@spydon spydon requested a review from a team as a code owner July 3, 2026 08:04
@spydon spydon force-pushed the feat/facebook-access-token-grant branch from 5dc0147 to 1d3f849 Compare July 3, 2026 08:08
@spydon spydon force-pushed the feat/facebook-access-token-grant-link-identity branch from a844510 to 44bc577 Compare July 3, 2026 08:08
Comment thread internal/api/token_access_token.go
@spydon spydon force-pushed the feat/facebook-access-token-grant branch from 1d3f849 to 16f15c6 Compare July 3, 2026 08:39
@spydon spydon force-pushed the feat/facebook-access-token-grant-link-identity branch 2 times, most recently from e3d5fbe to 1d63179 Compare July 3, 2026 08:42
When link_identity is set and a valid user access token is provided in the Authorization header, link the provider identity to that user instead of signing in or creating a new account, mirroring the id_token grant.
@spydon spydon force-pushed the feat/facebook-access-token-grant branch from 16f15c6 to 39ea58a Compare July 3, 2026 09:17
@spydon spydon force-pushed the feat/facebook-access-token-grant-link-identity branch from 1d63179 to f709746 Compare July 3, 2026 09:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant