Menu
My problem is as follows:
I want to associate multiple oauth2 accounts to the same user by email (e.g. the design of medium.com or slant.co). I need to understand the security consequences about this scenario.
This scenario is really impossible for something like Google, but it's possible for Facebook or Twitter backends. There is no way to make sure that User_A really owns all services using the same email, right? If I am right, what are the measures to make sure that a user cannot login to another user's account?
768
Great question and many developers don't do the right things in these cases. When we built Firebase Auth (previously knows as Google Identity Toolkit and you can see some detail on that page ) we spent a lot of time to analyze these cases. It will be hard to describe in detail here but a few concepts will help.
Depending on the sensitivity of the data on your site and how you allow "account recovery", you could always allow sign-in through an authoritative IDP but when if the user tries to sign-in with another IDP that is not authoritative, you should require them to confirm original account credential at the time of merging (e.g. ask for pw or ask to for assertion from Google before allowing to take over the account with just facebook sign-in).
Hopefully that helps. It is complicated so being careful is better and unmerging is going to be almost impossible.
135
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
