Someone at our company had username X with Google Apps and username X with Phabricator. One day, he changed his Google Apps username to Y. We decidedly, logically enough, to change his Phabricator username to Y. I used the web UI to "change username." Somehow (unsure how) even though he said he had a window which was logged into Phabricator, something (maybe the username changed?) logged him out.
Our install has only a single auth provider configured, which is Google. Unfortunately, his account was still linked to the old (X) Google Apps account. His Google account had already been changed and there was no easy way to switch it back, so there was no way to get him back into Phabricator.
What we did:
- Used the web UI to temporarily make him an administrator
- Ran ./bin/auth recover to generate a link to let him log in
- Removed his administrator status
- Ask him to go to /settings/panel/external/ to set up auth correctly
At this point, Phabricator won't let him delete the existing connection to Google because it's his only auth method. There's also no obvious way to add a second Google account. I started wondering if maybe the only way out of this sticky situation was to temporarily add a second auth provider, then delete it after sorting this out.
Turns out, there was a way out. If you click the "refresh" icon next to the Google provider, you can add a second account. However, at this point, trying to delete the old Google account from the list of providers gives an error: "More than 1 result from loadOneWhere()!" He can log in just fine now so I won't worry about this, but it was still a weird experience.
I realize this is a corner case, but it seems like there could be some small changes in this flow that would lead to big UX wins. My biggest concrete suggestion is to maybe add a note on the providers page (if there's only one provider available) with some sort of "add 2nd Google account" button.