play-authenticate icon indicating copy to clipboard operation
play-authenticate copied to clipboard

Published 20 hours ago verified publisher icon joscha

Automatically linking accounts if same email is used

Open smola opened this issue 11 years ago • 6 comments

I'm not sure if this is a feature request or a support question:

Is it currently possible to link (instead of sign up) a Facebook account to a UsernamePassword account when they have the same email? My exact use case:

  1. I do not want different registered users with the same email.
  2. If a Facebook account is signed up and it matches the email of a user with a UsernamePassword account, I want the ask_link prompt used. If accepted, accounts are linked. If rejected, signup won't happen (an error will be issued).
  3. If a UsernamePassword account is signed up and it matches the email of a user with a FacebookAccount, it should issue an error (it could make sense to offer a link of the new UsernamePassword account to the existing Facebok account, but at the moment, refusing the sign up would be enough for me).

Step 1 and 3 already work like this for my UsernamePassword accounts, but not for Facebook accounts.

I did implement this mechanism myself in my play-authenticate fork, but it's getting really convoluted and mesy. What would be the correct approach to this?

smola avatar Mar 13 '13 06:03 smola

The problem is, that emails provided by external providers might not be validated. E.g. neither facebook nor Google guarantee the validity of the email address, e.g. merging on email might result in people gaining access to your account if they can spoof the email address on one of the supported providers - the more providers supported on a website, the more problematic this gets.

joscha avatar Mar 13 '13 17:03 joscha

Oh, damn. I have a problem then ;-)

I'll try to work on a different solution:

  1. Same email is detected on Facebook signup. User gets redirected to user/pass login.
  2. After login, user gets redirected back to Facebook auth for linking.

smola avatar Mar 13 '13 18:03 smola

I cannot find a way to redirect the user back to the login page (plus a flash() error message) when a user is being created with an existing email (on Facebook signup, for example).

smola avatar Mar 20 '13 11:03 smola

is it because there is a redirect in between and the flash vars get lost?

joscha avatar Apr 04 '13 17:04 joscha

I also came across this question a few days ago: should we auto link/merge accounts based on email addresses provided by external auth providers? I would have assumed that all of those big networks require their user to verify their email addresses...

@smola Did you eventually find a solution that works for you?

At least Google returns a email_verified property in the ID Token, but I have no idea whether this info could somehow be abstracted and made available in the authentication flow...

jtammen avatar Aug 31 '13 21:08 jtammen

@jtammen I decided to not do anything fancy with this at the moment. If a user signs up with email/password, he has to be logged in to link his account with Facebook. No email-based auto-linking. If a user tries to sign up with a Facebook account that has an email already existing in the database, he just gets an error.

smola avatar Aug 31 '13 22:08 smola