Auth - adding Google plugin to my app creates duplicate user accounts
22 views
Skip to first unread message
pe...@anewalt.com
Mar 18, 2026, 10:00:57 AM (6 days ago) Mar 18
to py4web
My app has used default/password-based auth for a while. I would like to add other auth plugins, Google for example. I can get it working fine, but have an issue.
I have auth.use_username=False, so email is used as the username. If an existing user /email with a password now chooses to authenticate using Google instead, a new user account is created for that user. Now there are 2 auth_user rows with the same email.
Ideally, the same user (identified by email address) could be authenticated in more than one way. In practice, I would not expect them to switch between the 2 - rather, they see that Google authentication is now available and decide to use that. So I thought that perhaps there was a reason why the 2 cannot co-exist, but I tested this by copying the sso_id from the new account into the record for the old account, and deleting the new account. I then tried to login with both methods, and both work fine.
So it should all work as I want, but the duplicate-account creation in auth_user is a bother. How can I stop that from happening?
Ali
Mar 22, 2026, 3:05:27 PM (2 days ago) Mar 22
to py4web
I had a similar issue, but realized the email address used by the user in question was not exactly the same when trying the two methods. Gmail is indifferent to "dots".
I know this may not be the answer you are looking for. Sharing just in case.
I know this may not be the answer you are looking for. Sharing just in case.
pe...@anewalt.com
Mar 23, 2026, 9:13:59 AM (15 hours ago) Mar 23
to py4web
Thanks - based on this i tested again and checked very carefully whether there was any difference in the email address between the original and the newly-created rows. There is not, they are identical.
pe...@anewalt.com
Mar 23, 2026, 10:36:25 AM (14 hours ago) Mar 23
to py4web
OK, doing some tracing of activity in auth.py, specifically get_or_register_user, I find that a user record is being queried using the sso_id returned by Google, which fails (because the existing user has not logged in using SSO before & therefore doesn't have an sso_id in their record). There is an "elif email" statement, which never gets executed since the sso_id was present in the token supplied by Google, so it then proceeds to create a record for the "new" user.
Massimo, can this be changed to check the email in the Google token if the sso_id check fails?
Reply all
Reply to author
Forward
0 new messages