How can I setup Google Oauth to allow login using an alternate Google account?

Question

I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.

When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.

The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. [email protected]). The next day he returned and mistakenly tried to login with [email protected]. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.

To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.

How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?

Answer 1

Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.

I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:

In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.

Beyond the above, I'm afraid not much can be done. - if they logged in with [email protected] at that time, these are the credentials you will receive.

They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.