There doesn't seem to be any mention of this in the documentation, and all I found was this and this, where I would like to confirm this:
If there is an existing account with the same email address but
created with other credentials (e.g. password or non-trusted
provider), the previous credentials are removed for security reasons.
If a user signs in through Facebook or email/password and later through Google, their account sign in method is converted to Google. It only happens with Google and the setting for one account only is active.
Is it intended to be like this and is there any way to stop it?
As the documentation says: certain email domains have a trusted provider. Most prominently: Google is the trusted provider for #gmail.com addresses, since it's the only issuer of these email addresses.
If a user first registers their gmail address with say Facebook, and later there is a registration with that same gmail address from the Google provider, the latter registration is considered to overrule the former. If the user later signs in with Facebook again, the two accounts can be linked.
As far as I know, the only way to prevent this is to allow multiple accounts per email address.
Also see these posts by some of the Firebase Authentication engineers:
Firebase, login by same email different provider
https://github.com/firebase/FirebaseUI-Android/issues/1180
https://groups.google.com/d/msg/firebase-talk/ms_NVQem_Cw/8g7BFk1IAAAJ
Related
When using Firebase Auth, should I allow users to change their email address if they originally authenticated with Google?
How would I then handle this, when the user will not have a password and will not be able to log in with this new email address but will have to use the Sign In With Google option and log in with their original google email address.
You can link multiple authentication providers to one account - see the docs here.
This way, they can choose to sign in any of the linked providers on another device or on the original device (e.g. after they've deleted and re-installed the application).
I am using the Firebase authentication functionality. I am using Facebook, Google, Twitter and email and password as providers. The default functionality is to use a single email by authentication.
If I authenticate with an account with Facebook, Twitter or Google and then try to enter but using email and password to do it, it shows me a warning where it says that I already use another authentication method and it allows me to do it with the previous one.
If I authenticate with email and password and then try to authenticate with Google, Twitter or Facebook these authentication methods overlap, that is, take both and in the Firebase console I can see that they are both.
Now, if I authenticate with email and password, Facebook (I think) or Twitter and then try to authenticate with Google, it deletes the previous authentication methods. That is, if with the first authentication methods I had id1 after authenticating with Google, the entry with id1 is deleted and one is created with id2.
This generates a problem in my application because it is a way to lose the user's registry previously created with id1.
I'm not sure if this is the expected behavior but I do not think so. Obviously whenever I refer to doing a 'new authentication' with another method I make sure to use the same email.
It sounds like you are looking for account-linking. This is possible in Firebase-authentication. Users are identified by their Firebase Userid and you can link multiple authentication providers to a userid.
Try to check this documentation. I think this is what you are looking for: https://firebase.google.com/docs/auth/web/account-linking
I hope it helps.
The Google provider overwriting the existing providers is due to Google emails being verified as Google owns these email addresses.
To work around this, you will need to verify the email after the user signs up by sending an email verification. This guarantees that Google sign-in will not unlink the providers as the email is considered to be verified. So if a user signs up with Facebook (using a Google email), verify the email so next time the user signs in with the same Google email, the Facebook provider would remain on the user.
In my app, if a user registers using email and password, but later tries to log in or register using a Google account that shares that email, the account gets converted to a Google account and the user can no longer sign in with their email and password. I've configured the project with One account per email address setting on.
Is there any way of preventing this?
This is the expected behavior as Google accounts are verified: Firebase Overwrites Signin with Google Account
There are 2 ways around this:
1. Verify emails of password users. Google provider will be added to the account without unlinking the password if the user is verified.
2. You will need to switch to "multiple accounts per email", but this means 2 accounts will be created here, one email/password and another for Google.
I recommend the first approach. Firebase Auth does this for security reasons. Any person can claim an email. Unless the ownership is verified, the password must be unlinked to prevent the impersonator from gaining access to the account.
If I register with Facebook (x#x.com) and later log in with Google (y#y.com), but I do not have the same email address on both providers, there are 2 users created. How can I handle this situation?
Linking is typically used in three cases:
Automatically requested by the backend for security reasons: when a user signs in to google for example with email x#x and then logs out and tries to sign in with a new facebook account x#x. In this case the backend will not complete the second sign in without verifying that the second user is the same as the first user (since both use the same email). So in this case, the user has to sign to the google account and then link the second facebook account to the initial one.
Manually triggered by the developer: One common case here is that the user signs in to google with email x#x and remains signed in. The developer wants access to the user's facebook friends. So the developer will ask the user to link their facebook account to the already logged in google user.
Upgrading an anonymous user: Developer could automatically sign in users initially as anonymous and then prompt them to upgrade to a registered user. In this case you can call link on the anonymous user.
So auth.currentUser.link can be made on all kinds of users as long as the account you are linking is new and not already linked.
You'll want to use the Account Linking APIs to authenticate multiple providers for the same account. Docs for Web, Android, and iOS are available.
I'm developing an MVC4/Razor site for which the client requested the ability for users to be able to sign in with Facebook/Google accounts. Fortunately, this is fairly straightforward using Forms authentication.
However, I'm faced with the issue of: what if the user's email address which is returned by the provider matches an existing username?
For example, tim#rocketeerconsulting.com previously exists as a native account. For whatever reason, the user wants to use Facebook to login. Facebook returns that tim#rocketeerconsulting is the user's email address. If the user attempts to create an account using that information, MVC4 will state that the account already exists.
There are a few concerns:
Should users be allowed to merge accounts if an email address provided by an OAuth provider matches an existing account?
This presents a potential security risk. Can I rely on the OAuth provider to confirm that the address is valid? If not, a malicious user can create a Facebook account and then gain access to another user's account.
How should such a thing be implemented, if at all?
I recognize there is a similar question here, but my question pertains specifically to the context of Forms auth in MVC4.
You are right: it's easy to impersonate this way
Indeed, to add more to the problem, not all the OAuth providers give you the user email address (LinedId).
Every OAuth provider use an email address for initial validation, however, the user can have more than one, indeed some encurages you have them as backup.
So the email is not a good 'key' to identify the user.
Probably your solution will be to have a table with your own internal id and the relate this to the OAuth provider unique user identification: some use the email address, others screen name or similar.
This will allow the user to have more than one OAuth validator on your site.
I implemented this with: Linkedin, Twitter, Amazon, Google+, Microsoft and Facebook. Additionaly, our users can use their domain account to login, but this is another story...