Firebase Social Authentication Issue with fb and gmail flow

14776 views
Skip to first unread message

Vinodh Kumar Reddy

unread,
Jun 12, 2016, 11:37:27 AM6/12/16
to Firebase Google Group
Hi, I have been trying to connect user social profile using FB and Google, i see a different behaviour based on which provider user chooses first.

this only happens when user uses same gmailid for both FB and Google 

SCENARIO 1:  
User first connects with FB using (Eg: a...@gmail.com) and after popup challenge the provider FB is added to User
user on the next visit click on connect with Google  using (Eg: a...@gmail.com)  then users provider is replaced with Google.

SCENARIO 2:  
User first connects with Google using (Eg: a...@gmail.com) and after popup challenge the provider Google is added to User
user on the next visit click on connect with FB using (Eg: a...@gmail.com)  then an error is thrown back auth/account-exists-with-different-credential 
The firebase documentation says in this scenario to show user a continue option with Google upon user acceptance, user is linked with the FB credential then user providers are shown as both FB and Google.
Scenrio2 seems good as we are linking both social to same user

but in the case of SCENARIO 1, there is no error thrown so the user provider is replaced by Google
this is inconsistent experience for our app users.

Can any one advise if I am missing anything obvious.


Thanks,
Vinodh




Joe White

unread,
Jun 13, 2016, 11:36:17 AM6/13/16
to Firebase Google Group
You might want to use the "account linking" feature of Firebase ... reference: https://firebase.google.com/docs/auth/cpp/account-linking

Jin Liu

unread,
Jun 13, 2016, 2:06:04 PM6/13/16
to Firebase Google Group
To minimize the login UI clicks without compromising the account security, Firebase Authentication has a concept of 'trusted provider', where the identity provider is also the email service provider. For example, Google is the trusted provider for @gmail.com addresses, Yahoo is the trusted provider for @yahoo.com addresses, and Microsoft for @outlook.com addresses.

In the "One Account per Email address" mode, Firebase Authentication tries to link account based on email address. If a user logins from trusted provider, the user immediately signs into the account since we know the user owns the email address.

If there is an existing account with the same email address but created with non-trusted credentials (e.g. non-trusted provider or password), the previous credentials are removed for security reason. A phisher (who is not the email address owner) might create the initial account - removing the initial credential would prevent the phisher from accessing the account afterwards.

Jin
Reply all
Reply to author
Forward
0 new messages