1

I use firebase authentication for my web app with three providers: email-password, google, or facebook. I have enabled the option "One account per email address".

When a user signs up using email-password (with a gmail address), then later uses google sign-in, I expect to receive an exception "auth/account-exists-with-different-credential", but I do not. His providerId is changed to google.com and he cannot use his password anymore (throws "auth/wrong-password").

Is this normal behaviour?

Louis Coulet
  • 3,663
  • 1
  • 21
  • 39

4 Answers4

2

Firebase Authentication has a concept of a preferred provider for certain email addresses. The most common one is that google.com is the preferred provider for @gmail.com addresses, but I think they also exist for Facebook and Microsoft accounts.

If an existing account later signs up again from a preferred provider, that provider overwrites the existing user account. There is no way to change this behavior (that I know of).

Also see:

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thank you for this answer. The links about *preferred* and *trusted* providers are helping. This notion could be a nice addition to the firebase guides. – Louis Coulet Jan 04 '21 at 17:15
0

This is how I'm solving it: https://firebase.google.com/docs/auth/android/account-linking

Just link the "accounts".

Binyamin Robbins
  • 37
  • 8
0

Update 2023:

You can now choose if you want to allow 'User account linking'. For example, if you don't allow multiple accounts with the same email address, a user cannot create a new account that signs in using a Google Account with the email address ex@gmail.com if there already is an account that signs in using the email address ex@gmail.com and a password.

If you do allow multiple accounts with the same email address, your app's sign-in flow cannot rely on an email address to identify a user account.

You can find this under settings within Firebase Authentication.

There are some caveats to using this feature, please read about it here

Firebase Authentication Settings

baek
  • 425
  • 3
  • 7
0

If you set email_verified to True after the user has signed up, their sign-in provider does not get replaced when they sign in with a non-email-verified sign-in provider.

E.g. using the Python firebase_admin:

from firebase_admin import auth

# Get token from request
authorized_user = auth.verify_id_token(token)
auth.update_user(authorized_user["uid"], email_verified=True)

But it's better to verify their email address of course. Only use this if you know they own the email address.

Martin
  • 199
  • 2
  • 6