OIDC login fails with account_not_linked for existing users (no way to link accounts or change email) #345
Description
When configuring an OIDC provider (e.g., Authentik) via the UI, users who already have a local account cannot log in via SSO if their OIDC email matches their local account email. NextAuth throws an error=account_not_linked error.
Currently, there is no way to resolve this conflict because:
There is no "Link Account" button in the User Settings UI.
There are no environment variables (like OIDC_AUTO_LINK) available to force account merging.
The user cannot change their own email address in the Profile settings to avoid the conflict, as the email input field is disabled/greyed out.
This creates a deadlock where the user is completely unable to use SSO for their primary admin account without creating a secondary local admin just to rename the first one's email.
To Reproduce
Steps to reproduce the behavior:
Create a local user/admin account with an email (e.g., user@example.com).
Go to Admin Settings and configure a working OIDC Provider (Managed by DB).
Log out and attempt to log in via OIDC using an identity that shares the same email (user@example.com).
See the NextAuth error in the URL: .../auth-error?error=account_not_linked.
Log back in with the local account and go to Settings -> Profile to try and change the email address.
See that the email field is greyed out and cannot be modified.
Expected behavior
There should be a way to link an OIDC account to an existing local account. This could be solved by:
Adding a "Link OIDC Account" button in the User Settings.
Introducing an environment variable (e.g., OAUTH_AUTO_LINK=true) to allow automatic linking based on matching emails.
Allowing users to edit their own email address in their profile so they can manually free up the email for the OIDC login.
Screenshots:
Desktop
OS: Windows 11
Browser: Chrome /
Version: Latest
Additional context
I am running Norish via Docker. I checked the documentation and environment variables, but unlike Mealie, there are no documented variables to bypass the NextAuth security policy regarding account linking.