#[SOLVED] createOauth2Session gives error 409 Conflict if user already exists but logged out

While using web SDK to create Oauth2Session using google as provider
I want the user to login regardless of him being present in the project or not.
However I get a conflict, whenever i try to use createOauth2Sessionin the web sdk, and the user already exists

Can someone help me here ?

How do i create oauth2Session again if i need to

Like, after logout, I try to login again, but this error shows up

By the way I am use google provider for the creation of oauth2 session

The code I am using for login is

      account.createOAuth2Session(
        'google',
        `${process.env.NEXT_PUBLIC_BASE_URL}/`,
        `${process.env.NEXT_PUBLIC_BASE_URL}/auth/login`
      );

While the code i am using for logout is

  await account.deleteSession("current");

Is this a known bug ?

createOauth2Session gives error 409 Conflict if user already exists but logged out

Can anyone help with this ?

<@&634618551491100692> <@&564164014339391498> Please help here, this is a possible bug which tries to create the user whenever createOAuth2Session is called.

Please do not ping people, certainly not groups. Many of the Appwrite Core staff are currently on holiday. Your post will be seen eventually

I am so sorry, Will not repeat that

It's just that i thought, other questions were getting solved, so for some reason this was not visible
My apologies, will not repeat that again.

What scopes are you using

All scopes are non-sensitive, so I did not specify at all

https://appwrite.io/docs/references/cloud/client-web/account your call looks like this? The create oauth 2

Yes that is correct,
First the instantiation of client
then calling createOauth2Session with provider like here

Yes but I don’t see any scopes provided there

Usually you need at least read of the users account

I do not think that is necessary, the same code with new (not present in project initially) google user works
The problem is with a user who has logged out.

Would you please use the Appwrite CLI and run appwrite users listIdentities

Ok

I see it, there are identities related to the account I am trying to sign in with
Am i supposed to delete that too on signout ?

Do the user IDs match?

I am unable to print the userId after the error as, it does not sign in if the error mentioned above occurs.
However, when I initially signed in, the user_id if it is the same each time i create an oauth sesion, then yes they match.

Let me explain in a bit more detail:

1. New user sign in (with google) : user_id = x
2. appwrite users listIdentities shows user_id = x
3. Logout using deleteSession
4. Retrying to Login using google : Error 409 conflict
5. appwrite users listIndentities still shows user_id = x

Cant you see the user and user id in the Appwrite Console?

You are right, It matches

the one in console and the identities too

I am sorry, but I am not able to understand the concept of identites and users,
Can you please link in some documentation ?

We don't have much documentation on it yet, but it's a way for a user to have additional emails/oauth accounts linked to their account

So should i be deleting the identity while logging out ?
So as to not get the error 409 during the creation of Oauth session ?

No. Having the identity there with the user id matching is the expected

Does the user have any other sessions active?

Nope, no sessions

not after the deleteSession step.

And the emails match up between the account and the identity?

Let's try this...take note of all the user identity details. Then, delete the user identity, sessions, and the user itself. Then, try to create an oauth2 session again. It should create another identity. Please compare the details between the new identity and the previous one. Do the details match?

i have the same issue. when i got this 409 error, i bypass like that.

WAY 1:
1-open your app
2- login with another user with email and password not oauth2
3- logout user (it clears all cookies and localstorage about user)
4- login with oauth2, it should work

WAY 2:
if you delete directly exact session from appwrite console with related user, it should bypass this error message as well.

Problem: i guess browser saves some local storage and cookies, and appwrite has session with that logged in. While testing it you are trying to create session with oauth2 again and it conflicts with session that is already created. So, please clear all sessions and start to try again

Yup they do

I performed the steps as you mentioned,
The identities of before and after differ by userId.

How about the provider uid?

They match

Okay so google is always returning the same provider user id...then Appwrite shouldn't be trying to create another user or identity 😵‍💫

Way 1 is out of scope for me, As I do not want emailSession
I have been doing way 2, but still getting conflict.

But it should after the deletion of identity right ?
It doesn't create another identity though if we call on it. I think

It's like after logout, appwrite just tries to create a user regardless of identity

After you deleted and signed in again, a new user and Identity were created. After that, it should lookup the previous user and Identity

It would only do that if it can't match on email/provider user id

Right, I feel however that condition is being disregarded. It is just going on to create a user.

So, again, you only have 1 identity in your project? How many users?

And if you call account.get() before the create oauth2 session, it throws an exception?

Many anonymous users, 4 identities, becuase I used Oauth with 4 different accounts

Can you delete all identities and users?

I do actually, I get the guest scope right after logout and before createOauthSession.

Ok doing it now, Is there a way to bulk delete from appwrite cli ?

Maybe some bash + jq magic

i think its an obvious bug that should be fixed it. But i dont know where that conflict comes from actually. If you can reproduce this 409 error clearly, opening github issue for that gonna be helpful for everyone obviously. Thats my path to use appwrite with its growing community. Until it is going to be fixed, better way to how to bypass it in other ways.

so i just tried to reproduce this by doing this in an incognito window:

1. browse to [endpoint]/account/sessions/oauth2/google?project=[project id]
2. log in
3. see the Missing redirect URL after successful auth
4. see the new user in the console (and identity by manually fetching for it)
5. close and re-open the incognito window
6. repeat steps 1 and 2

And i was able to log in again as expected:

Ok, I deleted all the users and tried again
But the results are the same.

Are you doing this in the cloud ?
Can you try using createOAuth2Session ?
I am not quite sure, why it would be different though.

I tried this,
And this works for me too.
The only difference I see is that I get the verified email tag, which i don't usually get when i try through createOAuth2Session

Could it be that I have configured it wrongly?
This is what I have done,
Created Oauth Consent Screen in GCP
Create Oauth Credential by adding authorized javascript origins, authorized redirect uris (from appwrite)
Then added Client ID and Client Secret to appwrite.

yes, i tested on cloud.

The web sdk for createOAuth2Session() generates the URL and redirects the user so it's the same thing.

nope, that seems fine

However I am getting a 409 Conflict so any suggestions on how I can debug this

I need to know, what is it exactly conflicting against

Ok wait, I don't think I have mentioned this but in my application, if you are not logged in by Oauth then you are assigned anonymous user
Which then gets converted to Google Oauth session.

I do not know if it changes anything

So the next time you log in, it starts from anonymous again?

If you logout from Google, you are automatically assigned anonymous

So before logging into Google you are anonymous user
Then you become Google oauth user

Yes, that's a problem because the new anonymous user is trying to link their account to that Google one, but it's already linked to the other user

I see, so should I delete the anonymous session before I do createOauth2Session ?

That way there is no linking

What's the point of the anonymous session?

So the permission on my functions are User
Hence I am assigning an anonymous to any user that visits site

I did not want to keep it open to everyone

But anyone can create an anonymous session 🧐

But ya, you can do this

You are right, but I had to mitigate in some way

Do you have any suggestions?

I don't want people to just be able to call the function directly through an API call

So you want it to be possible to trigger by anyone publicly, but only from your site?

Right that makes sense,

No, that’s not possible

Is there any other way to make this a bit more tougher?

Either way that solves the issue for createOAuth2Session
However, can you tell why the linking of anonymous user is necessary during the creation of createOAuth2Session

You mean for the identity?

I mean, when I have a anonymous session, and then i do createOAuth2Session, why link the previous anonymous session ?

It's the flow for converting an anonymous user to a regular user via oauth

Is it to ensure no other anonymous user tries to convert?

Not sure what you mean

I'm trying to understand the reason behind such flow.
Is there any documentation for this ?

What flow are you talking about?

The one you are mentioning here

There's not much else to say so I'm not sure what you're looking for 🧐

Btw, see https://appwrite.io/docs/references/cloud/client-web/account#createOAuth2Session

Understood, Thank you so much for helping me out this far.