21

In testing django-allauth, if I log in and log out with different social accounts, they don't seem to be linked together (in that I cannot access them by looking at socialaccount_set.all.0, socialaccount_set.all.1, etc).

Can someone explain how to link social accounts together?

I did see this post: how do i connect multiple social auth providers to the same django user using django-allauth? which seems to put the onus on the user to log in first with one social account, and then link the other accounts for himself.

Certainly there should be a way to do this without putting the onus on the user? Maybe by email addresses?

Is there a way to do this after the fact with existing users?

Community
  • 1
  • 1
voisin
  • 267
  • 2
  • 6
  • You could have a stab at auto-linking if the email address of both the social accounts is the same. I answered a similar question, which you might find it useful - http://stackoverflow.com/a/19443127/805427 – elssar Dec 01 '13 at 17:43

2 Answers2

25

If your user is already logged in, I've successfully connected another account using the tag provider_login_url and setting the attribute process="connect". Here is the code snippet to put in a block displayed for authenticated users:

{% load socialaccount %}
<p><a href="{% provider_login_url "facebook" process="connect" %}">Connect a facebook account</a></p>
<p><a href="{% provider_login_url "google" process="connect" %}">Connect a Google account</a></p>

Set SOCIALACCOUNT_QUERY_EMAIL=True and don't forget to ask for the email in the scope of your providers:

SOCIALACCOUNT_PROVIDERS = \
    {'facebook':
         {'SCOPE': ['email', ],
          'AUTH_PARAMS': {'auth_type': 'reauthenticate'},
          'METHOD': 'oauth2',
          'LOCALE_FUNC': lambda request: 'pt_BR'},
     'google':
         {'SCOPE': ['https://www.googleapis.com/auth/userinfo.profile',
                    'email'],
          'AUTH_PARAMS': {'access_type': 'online'}
         },
}

I also want to know if it is possible to automatically associate a account using the email address. I can see in the column "extra_data" of the socialaccount_socialaccount table that both Google and Facebook send a "verified_email": true. For me it would be enough to automatically associate the logins and a great usability enhancement.

neves
  • 33,186
  • 27
  • 159
  • 192
16

Certainly there should be a way to do this without putting the onus on the user? Maybe by email addresses?

Be very very careful about how you do this. You may be opening a huge security hole. If you don't put some onus on the user and just auto-link accounts with the same email address you introduce the following attack vector:

  • Find user on your site, figure out their email address (often this is very easy)
  • Create account at one of your providers with my email
  • Verify email, add their email, delete mine (it only takes one of your providers to not do the full corner cases for this hole to open)
  • 'Signup' for your service with my new lax-provider account
  • Get automatched to intial user, get access to their account

You can take steps to reduce this risk, but even if all providers require email confirmation now, any slip-up in the 3rd party teams would then open this hole in your security.

Maybe for what you're doing the risk is merited, just please be careful. A bit of onus on the user is probably not the worst thing.

I've seen flows where it suggests an auto-match, then asks you for your password or to re-authenticate with one of the original providers to add the new account to your original account. These wouldn't have the same potential to exploit, but have some brain-f*ck level corner cases and UI complications.

Ted
  • 12,122
  • 4
  • 31
  • 39
  • 4
    Ok, it may be a security problem, but you aren't answering the question. – neves Oct 14 '13 at 04:33
  • 7
    @neves I'm objecting to consideration of the question. It is an answer, just not the one you want. "You shouldn't" is the correct answer way more than 99% of the time when the question is "How do I cut my arm off." – Ted Sep 22 '14 at 19:09
  • 11
    Not to start a flame war here. Your security concerns are reasonable, but security is a trade off. If my third party are just Google and Facebook and my site isn't a banking account, maybe I can trade the security for a better usability. – neves Sep 24 '14 at 20:51
  • Please read question before write the same rave everywhere, user already has django's account, what security concerns are you talking about? – Denis Apr 22 '17 at 12:17
  • This is a security problem only if the provider is completely untrusted. If the Oauth provider is Google or Microsoft where only your gmail (or micrsoft apps) account is authenticated by them, the security hole you're talking about is severely overstated. The ease of use makes sense in a number of use cases. – Rohit May 19 '20 at 18:59