0

I've been trying to setup an application that supports 3 types of Authentication: - Email / password - Google (OAuth) - Facebook (OAuth)

In Firebase > Authentication > Sign-in methods, I've enabled the 3 options mentioned above. In Firebase > Authentication > Advanced, I have the following set: "Prevent creation of multiple accounts with the same email address"

Just FYI, the password I use in my app to create an account with [Email/password] is different from my Google account, which is also different from my Facebook account (3 separate passwords - very real world scenario)

  • [Email/password]: john.doe@gmail.com, Password123
  • [Google]: john.doe@gmail.com, Password456
  • [Facebook]: john.doe@gmail.com, Password789

I want a user to Sign up with whatever provider they want to and then later on, link any other available sign-in / authentication options.

I can manage to properly setup [Email / Password] or the OAuth providers (Google and Facebook). But, when I try and integrate all 3 together, all hell breaks loose. Some noted errors:

  1. Scenario A)

    • Create user with email / password / sign in / sign out (works fine)
    • Login with Google OAuth (associated to same email) as above, accounts are linked together / sign in / sign out
    • attempt to login with email/ password again -> ERROR
      • Google OAuth seems to have overridden the previous account settings

  2. Scenario B)

    • Create user with email / password / sign in / sign out (works fine)
    • Login with Facebook OAuth (associated to same email) as above, accounts are linked together but get an error when attempting to login because my password used doesn't match my Facebook password. Yet this DOESN'T HAPPEN when I link my Google and Facebook accounts together. Why this issue with [Email/password] and OAuth providers?

I know there have been some updates / changes recently within Firebase, maybe the documentation / examples I checked weren't up-to-date. Has anyone successfully been able to [Email/password] authentication with OAuth providers as well? Can anyone provide a good example online or some recent documentation I can take a look at?

Btw, running code in Angular5 if that helps. Thanks in advance for any help.

JB

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
john.acb
  • 173
  • 2
  • 12

1 Answers1

2

Scenario A) happens because the email/password is unverified. The account is unlinked to prevent hijacking. For example I can claim another person's google email and create an email/password account. The owner of that Google account will then try to login to that account. I should lose access to it. To solve, try verifying the email after the email/password account is created. The verified account will not be unlinked.

Scenario B) This does not happen because of the passwords. Firebase doesn't have access to your Facebook or Google password. Are you sure you linking the account correctly? When you try to login with Facebook using the same email as existing email/password, you will get an error that the credential already exists (the error also returns the Facebook credential), you will need to first sign in to the existing email/password account and then link the Facebook credential to that account.

bojeil
  • 29,642
  • 4
  • 69
  • 76
  • I'm unclear on Scenario B Suppose I create an account with email/psw (assume verification email has been sent and email is verified) In my web app and (while unauthenticated) try signing up with FB (same email), I get the error you mentioned (something like: "credential already exists"). You're saying that I have to 1st login with email/psw provder and then associate my FB account? is that how Firebase works internally? – john.acb Apr 18 '18 at 18:25
  • This doesn't happen with GoogleAuth provider. If I repeat this but swap out FB and use Google it works fine. Plus, I've seen this in a lot of other sites. I don't want a user to have to re-login with email/psw if they want to link their FB account. If email is verified, I just want users existing account to sync with FB account. Is this possible? Thanks JB – john.acb Apr 18 '18 at 18:25
  • 1
    You have to prove ownership of the previous account before you link. That is a security requirement. Google is different since it is a verified account. When you sign in with google, you own the google account and google verifies that your gmail.com account is yours. – bojeil Apr 18 '18 at 19:44